Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Agent.YCA

Trojan.MSIL.Agent.YCA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 13,614
Threat Level: 80 % (High)
Infected Computers: 8,050
First Seen: January 15, 2022
Last Seen: March 1, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Agent.YCA
Signature status: No Signature

Known Samples

MD5: a8021cde34bddc211ad03870bc418697
SHA1: c0fc4ff54a6cfaa82c5d876bb06832a0bfd11149
File Size: 1.66 MB, 1661952 bytes
MD5: 35260f3ab90b954c6b95aa7a2565ccd3
SHA1: 91fa67458c55524fd9659662b348794fb6bb08b3
File Size: 1.07 MB, 1066496 bytes
MD5: 21b6e23e1f48268e4940d7188525daf1
SHA1: ee4bd624229fc6c63178e50a9605cee652095df4
File Size: 2.04 MB, 2043392 bytes
MD5: 6b1ad7fb7914700f25b2626cf836905c
SHA1: 44d4f7bedb7be629396cfb1ef6d98d48b72f8564
File Size: 1.23 MB, 1233920 bytes
MD5: dad084ff96d527a3c78b1f88697c2ee3
SHA1: b748e7ddd51b9ce245581a6016dea59c6ea8354c
File Size: 2.10 MB, 2103296 bytes
Show More
MD5: 273e6924de042e3d876a0dc21534bc73
SHA1: 6b7559b90afc24b0f65aac09478d48d02769aba5
SHA256: AC3BB268EB2140AC5FF39E2248147A2DB9D4AF4B2781291C840AAFDF2606A943
File Size: 2.10 MB, 2101760 bytes
MD5: f1afba5505738aabb444aefbec7fdda1
SHA1: 77427b555ae714841bfcf43a4f7b38d54013ff06
SHA256: 5889CD622BA17EDB6CF1EC66661D5982C530FE6C0A9A56BAB523C908F702EA18
File Size: 2.96 MB, 2957824 bytes
MD5: 59e330f176ae037dcc65efc5f7d7859a
SHA1: f0fbb795992bbebf15cedec2f473718891ec2334
SHA256: 8CFA942FEF671BC7A15C59E2B8A0B7AEB2139D3E2BD233B1A45DE15513560D72
File Size: 1.49 MB, 1490944 bytes
MD5: a188abfe3a3c3ae42ab9f42aca4d9331
SHA1: c655391ac35082f835c3588b23aaad17e8070c75
SHA256: 07DC547AA1324FA76772459CA9A2E56E003C03CBCA5F66A9CA8C9ED09A164A3F
File Size: 1.13 MB, 1132146 bytes
MD5: 8e136e495902f0bc09c7b2adddc33ba9
SHA1: 53d4693b6fda96d0bcceca6f17ea18a8226f065c
SHA256: 4CDA1CD1D69F33CC6A25525D226A6D496BA51FE091C0FE1FD1D4372CB691B723
File Size: 1.73 MB, 1730560 bytes
MD5: 5febb31d23c75470aa9db7ce66db133b
SHA1: 4c7d154664324de2c37269d84146c071f00cd864
SHA256: 05C150127CDADE0E3BC6215D4104E9E1ADCC02E2ED199F7B3EEF02B860219067
File Size: 1.22 MB, 1223680 bytes
MD5: 9acfd0faef9b7e34958d64ffa3ff1de2
SHA1: 7f4524a528e448cc4d68727e249ecc33f02f45be
SHA256: 3FCF04EBEF0D69895F79F8B469727D31FEDE454FF9FBB5BD8AB72E21A52F6480
File Size: 2.33 MB, 2332672 bytes
MD5: 883c554aa851a94064b1b105e6e38c79
SHA1: 876afba315155e0256f37395fd76456e1e7f85f1
SHA256: 249B157D462FF6B4C94A5EF85A629D0F2EDE7D39F93D5116F7070822AC3034AD
File Size: 1.78 MB, 1779200 bytes
MD5: 31c5529b9642477288c732d4101999ca
SHA1: dfe2c544e983e063ddbf9d21689b844fedcdf049
SHA256: 9E55F6327CAC5C2F7D2BCF67445D4D2F5A281D683DFE7CBB359C927E11A3D64D
File Size: 2.11 MB, 2112000 bytes
MD5: df2d279295cc20709fce81828dfda599
SHA1: 0b4f4f2abc41099d11aed745c646f01ea8150387
SHA256: FD248309C850BB19480F1F520ED2216905F628922AAE7CE8CCBB01B37B3C5C7E
File Size: 1.17 MB, 1173504 bytes
MD5: 62606f65d9257411076fe743461abf76
SHA1: 4cb0a765c2f9e7f14626d95c640b02272f7e8042
SHA256: C3F2C5670D7F8DAE41AA207016FA0C8036512B4539E6F2F3426C9A13DF092E41
File Size: 2.06 MB, 2060800 bytes
MD5: aa80a3f2edd2d072a25310ca3a3903ae
SHA1: 21a97dd1a0f2af31cab8db0e2dedcc3552aca2d4
SHA256: 6B4C8C290552B9CAF1C09CAF1501E70EF539E2E9B1B8F4A27F7943721EDD348F
File Size: 674.82 KB, 674816 bytes
MD5: e46c81f3d809a5e6f1ca8f9a4162d74e
SHA1: 89d24977cb674c15206d6f9b6d3873b6b01b5e80
SHA256: 144BFA5515076886B469E84A112567DCC89AC71CEA022D426447A2171805BE3E
File Size: 912.38 KB, 912384 bytes
MD5: 4fa4f3fe2f873999b3a5c391fdf32d0e
SHA1: aaf9562892101be2214a5f903e0bcec7e485b5b8
SHA256: 85E4295B644256E8C85D7D088371C137C2BABC63102A6D945E485B267BD8506D
File Size: 2.40 MB, 2403328 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 5.0.0.0
  • 4.3.6.29878
Comments
  • 2hEHODAqeRP
  • Dip-Schalter für Märklin-Decoder einstellen
  • eRxn
  • jCJWybf4JWWbsf5W
  • MSRp6Iob3OklaaF
  • SHiSanwhole
  • vfV7B4a2EEwNlKebdgHeEbTFfRUws
Company Name
  • 2KEZl
  • AD-Software
  • Qkrh1F2oi6HpdTjl
  • rxXKPzO2ceJuc
  • TT5o8xbDJiKCdUFShBjKMW
  • Vmefkg46NloPzT
File Description
  • Märklin Dip-Switch
  • SHiSanwhole
File Version
  • 926.0.330.779
  • 492.192.481.302
  • 305.982.273.229
  • 296.333.987.84
  • 213.2.323.651
  • 5.15.2.0
  • 5.0.0.0
  • 4.3.6.29878
  • 1.1.1o
Internal Name
  • 7q7GsJfzajdT.exe
  • 177W.exe
  • HdZ0CPd7J4c.exe
  • Khma.exe
  • libcrypto
  • MaDipSwitchPC.exe
  • SHiSanwholes.exe
  • TKXzIiGmJFmpaL9.exe
Legal Copyright
  • 6xvm9hRSllWanEMnR15RH7h
  • Copyright 1998-2022 The OpenSSL Authors. All rights reserved.
  • Copyright © 1982 - 2010, AD-Software
  • KIpsn
  • NhTcrNQt
  • uUz
  • W4dxrO1SSFQreZOe2VX8V4mp
Legal Trademarks
  • AD-Software
  • SHiSanwhole
Original Filename
  • 5UKwxmsYVKHiVFPQW.exe
  • BYAURfsRVjJD3k6nbQRA2b.exe
  • GUEzwEPlaubE.exe
  • libcrypto
  • libGLESv2.dll
  • MaDipSwitchPC.exe
  • QjGdvu79b5p.exe
  • SHiSanwholes.exe
  • wECcjsyUQLhaYU.exe
Product Name
  • cDM
  • e5eWS
  • ga2rfra3jDhzM1bhgk0PWEY3ZHI1
  • iCWhDLaZr1
  • libGLESv2
  • MärklinDipSwitch
  • SHiSanwhole
  • ZpVIS7
Product Version
  • 755.967.634.697
  • 685.503.953.478
  • 641.634.326.375
  • 640.267.859.48
  • 495.857.943.74
  • 5.15.2.0
  • 5.0.0.0
  • 4.3.6.29878
  • 1.1.1o

File Traits

  • .NET
  • .sdata
  • HighEntropy
  • Reactor
  • RijndaelManaged
  • x64
  • x86

Block Information

Total Blocks: 4,617
Potentially Malicious Blocks: 308
Whitelisted Blocks: 3,671
Unknown Blocks: 638

Visual Map

0 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? ? ? x x x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 ? ? 0 0 0 0 0 ? 0 ? ? 0 ? 0 ? 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? x ? ? x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? x x x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? x ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 x x ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x x x x ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? x 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? x ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? x 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x ? x ? 0 0 0 0 0 0 0 0 0 ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x ? ? x ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? x ? ? ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x x ? x ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 ? 0 ? 0 0 0 0 ? ? x x x x ? ? x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x ? ? ? ? ? x x x ? x ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 ? ? x 0 0 0 ? ? x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 ? ? 0 x x x ? x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x 0 0 0 0 0 ? ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x x ? 0 0 0 0 0 0 0 0 0 0 x ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x ? x ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x ? 0 0 0 0 0 0 0 0 ?
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.ACLE
  • MSIL.Agent.YCG
  • MSIL.HackAgent.RE
  • MSIL.Injector.BM
  • MSIL.Krypt.MBAO
Show More
  • MSIL.Krypt.MBARE
  • MSIL.Krypt.MBAXB
  • MSIL.Krypt.MBAXI
  • MSIL.Krypt.MBRC
  • MSIL.Krypt.RQ
  • MSIL.Spy.Agent.DN
  • MSIL.Spy.QJ
  • MSIL.Spy.QVK

Files Modified

File Attributes
c:\program files (x86)\internet explorer\en-us\54136267814307 Generic Write,Read Attributes
c:\program files (x86)\internet explorer\en-us\9e8d7a4ca61bd9 Generic Write,Read Attributes
c:\program files (x86)\internet explorer\en-us\rcx5e4f.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\internet explorer\en-us\rcx5ff6.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\internet explorer\en-us\runtimebroker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\internet explorer\en-us\runtimebroker.exe Synchronize,Write Data
c:\program files (x86)\internet explorer\en-us\xenguestagent.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\microsoft\edgecore\138.0.3351.55\ebwebview\x64\27d1bcfc3c54e0 Generic Write,Read Attributes
c:\program files (x86)\microsoft\edgecore\138.0.3351.55\ebwebview\x64\5b884080fd4f94 Generic Write,Read Attributes
c:\program files (x86)\microsoft\edgecore\138.0.3351.55\ebwebview\x64\fontdrvhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Show More
c:\program files (x86)\microsoft\edgecore\138.0.3351.55\ebwebview\x64\system.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windows portable devices\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windows portable devices\92fb16f5067711 Generic Write,Read Attributes
c:\program files (x86)\windows sidebar\24dbde2999530e Generic Write,Read Attributes
c:\program files (x86)\windows sidebar\shared gadgets\088424020bedd6 Generic Write,Read Attributes
c:\program files (x86)\windows sidebar\shared gadgets\54136267814307 Generic Write,Read Attributes
c:\program files (x86)\windows sidebar\shared gadgets\conhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windows sidebar\shared gadgets\f3b6ecef712a24 Generic Write,Read Attributes
c:\program files (x86)\windows sidebar\shared gadgets\spoolsv.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windows sidebar\shared gadgets\xenguestagent.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windows sidebar\wmiprvse.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windowspowershell\configuration\schema\088424020bedd6 Generic Write,Read Attributes
c:\program files (x86)\windowspowershell\configuration\schema\886983d96e3d3e Generic Write,Read Attributes
c:\program files (x86)\windowspowershell\configuration\schema\conhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windowspowershell\configuration\schema\csrss.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\5b884080fd4f94 Generic Write,Read Attributes
c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\fontdrvhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\msft_packagemanagement\en-us\54136267814307 Generic Write,Read Attributes
c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\msft_packagemanagement\en-us\55b276f4edf653 Generic Write,Read Attributes
c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\msft_packagemanagement\en-us\startmenuexperiencehost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\msft_packagemanagement\en-us\xenguestagent.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\reference assemblies\microsoft\cc11b995f2a76d Generic Write,Read Attributes
c:\program files\reference assemblies\microsoft\winlogon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows multimedia platform\21b1a557fd31cc Generic Write,Read Attributes
c:\program files\windows multimedia platform\6203df4a6bafc7 Generic Write,Read Attributes
c:\program files\windows multimedia platform\dashost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows multimedia platform\lsass.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows photo viewer\en-us\886983d96e3d3e Generic Write,Read Attributes
c:\program files\windows photo viewer\en-us\9e8d7a4ca61bd9 Generic Write,Read Attributes
c:\program files\windows photo viewer\en-us\cd89ddd3d81b06 Generic Write,Read Attributes
c:\program files\windows photo viewer\en-us\csrss.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows photo viewer\en-us\ea9f0e6c9e2dcd Generic Write,Read Attributes
c:\program files\windows photo viewer\en-us\runtimebroker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows photo viewer\en-us\taskhostw.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows photo viewer\en-us\tiworker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows sidebar\shared gadgets\27b434ba3dcee9 Generic Write,Read Attributes
c:\program files\windows sidebar\shared gadgets\ee2ad38f3d4382 Generic Write,Read Attributes
c:\program files\windows sidebar\shared gadgets\registry.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\windows sidebar\shared gadgets\securityhealthsystray.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\088424020bedd6 Generic Write,Read Attributes
c:\recovery\oem\55b276f4edf653 Generic Write,Read Attributes
c:\recovery\oem\5940a34987c991 Generic Write,Read Attributes
c:\recovery\oem\6203df4a6bafc7 Generic Write,Read Attributes
c:\recovery\oem\66fc9ff0ee96c2 Generic Write,Read Attributes
c:\recovery\oem\69ddcba757bf72 Generic Write,Read Attributes
c:\recovery\oem\75a57c1bdf437c Generic Write,Read Attributes
c:\recovery\oem\886983d96e3d3e Generic Write,Read Attributes
c:\recovery\oem\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\92fb16f5067711 Generic Write,Read Attributes
c:\recovery\oem\9e8d7a4ca61bd9 Generic Write,Read Attributes
c:\recovery\oem\conhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\csrss.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\dllhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\lsass.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\runtimebroker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\sihost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\smss.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\startmenuexperiencehost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\recovery\oem\wmiadap.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\088424020bedd6 Generic Write,Read Attributes
c:\sandbox_local\1a5d5b8dcee3d8 Generic Write,Read Attributes
c:\sandbox_local\1f93f77a7f4778 Generic Write,Read Attributes
c:\sandbox_local\24dbde2999530e Generic Write,Read Attributes
c:\sandbox_local\26c12092da979c Generic Write,Read Attributes
c:\sandbox_local\38384e6a620884 Generic Write,Read Attributes
c:\sandbox_local\55b276f4edf653 Generic Write,Read Attributes
c:\sandbox_local\5b884080fd4f94 Generic Write,Read Attributes
c:\sandbox_local\66fc9ff0ee96c2 Generic Write,Read Attributes
c:\sandbox_local\886983d96e3d3e Generic Write,Read Attributes
c:\sandbox_local\9e8d7a4ca61bd9 Generic Write,Read Attributes
c:\sandbox_local\c5b4cb5e9653cc Generic Write,Read Attributes
c:\sandbox_local\cc11b995f2a76d Generic Write,Read Attributes
c:\sandbox_local\cmd.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\conhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\conhost.exe Synchronize,Write Data
c:\sandbox_local\csrss.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\ctfmon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\ebf1f9fa8afd6d Generic Write,Read Attributes
c:\sandbox_local\ee2ad38f3d4382 Generic Write,Read Attributes
c:\sandbox_local\f8c8f1285d826b Generic Write,Read Attributes
c:\sandbox_local\fontdrvhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\memory compression.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\mousocoreworker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\rcx9b05.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\sandbox_local\rcx9ba3.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\sandbox_local\registry.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\runtimebroker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\searchapp.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\services.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\shellexperiencehost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\sihost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\startmenuexperiencehost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\winlogon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\wmiprvse.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\logs\24dbde2999530e Generic Write,Read Attributes
c:\sandbox_stage\logs\7ee772331d2f36 Generic Write,Read Attributes
c:\sandbox_stage\logs\9e8d7a4ca61bd9 Generic Write,Read Attributes
c:\sandbox_stage\logs\runtimebroker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\logs\sandboxhandler.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\logs\wmiprvse.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\ea9f0e6c9e2dcd Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\54136267814307 Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\builds\csrss.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\csrss.exe Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\builds\csrss.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\csrss.exe Generic Write,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\csrss.exe Generic Write,Read Data,Read Attributes
c:\sandbox_stage\mnt\nas\builds\csrss.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\csrss.exe Generic Write,Read Data,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\xenguestagent.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\xenguestagent.exe Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\builds\xenguestagent.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\xenguestagent.exe Generic Write,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\xenguestagent.exe Generic Write,Read Data,Read Attributes
c:\sandbox_stage\mnt\nas\builds\xenguestagent.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\builds\xenguestagent.exe Generic Write,Read Data,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\live\csrss.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\live\csrss.exe Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\live\csrss.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\live\csrss.exe Generic Write,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\live\csrss.exe Generic Write,Read Data,Read Attributes
c:\sandbox_stage\mnt\nas\live\csrss.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\live\csrss.exe Generic Write,Read Data,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\live\dashost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\live\dashost.exe Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\live\dashost.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\live\dashost.exe Generic Write,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\live\dashost.exe Generic Write,Read Data,Read Attributes
c:\sandbox_stage\mnt\nas\live\dashost.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\live\dashost.exe Generic Write,Read Data,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\scan_task_definitions\tiworker.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\scan_task_definitions\tiworker.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\scan_task_definitions\tiworker.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\taskhostw.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\taskhostw.exe Generic Write,Read Attributes
c:\sandbox_stage\mnt\nas\stage\taskhostw.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\taskhostw.exe Generic Write,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\taskhostw.exe Generic Write,Read Data,Read Attributes
c:\sandbox_stage\mnt\nas\stage\taskhostw.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\sandbox_stage\mnt\nas\stage\taskhostw.exe Generic Write,Read Data,Read Attributes,LEFT 262144
c:\sandbox_stage\mnt\nas\xenguestagent.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\mnt\taskhostw.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\savesdllcommon Synchronize,Write Attributes
c:\savesdllcommon\__tmp_rar_sfx_access_check_23859 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\savesdllcommon\hm0b2ufqshectnrtbxiky0s.bat Generic Write,Read Attributes
c:\savesdllcommon\hm0b2ufqshectnrtbxiky0s.bat Synchronize,Write Attributes
c:\savesdllcommon\mjhsjdb8qaxrvu.vbe Generic Write,Read Attributes
c:\savesdllcommon\mjhsjdb8qaxrvu.vbe Synchronize,Write Attributes
c:\savesdllcommon\monitordhcp.exe Generic Write,Read Attributes
c:\savesdllcommon\monitordhcp.exe Synchronize,Write Attributes
c:\startup_test\logs\088424020bedd6 Generic Write,Read Attributes
c:\startup_test\logs\0b09c1e5c91e45 Generic Write,Read Attributes
c:\startup_test\logs\1a5d5b8dcee3d8 Generic Write,Read Attributes
c:\startup_test\logs\27d1bcfc3c54e0 Generic Write,Read Attributes
c:\startup_test\logs\2afe4ed40d5a86 Generic Write,Read Attributes
c:\startup_test\logs\6ccacd8608530f Generic Write,Read Attributes
c:\startup_test\logs\7ee772331d2f36 Generic Write,Read Attributes
c:\startup_test\logs\97fb39f34a7b15 Generic Write,Read Attributes
c:\startup_test\logs\conhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\logs\idle.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\logs\memory compression.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\logs\memory compression.exe Synchronize,Write Attributes
c:\startup_test\logs\memory compression.exe Synchronize,Write Data
c:\startup_test\logs\phoneexperiencehost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\logs\rcx97c7.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\startup_test\logs\rcx9864.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\startup_test\logs\sandboxhandler.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\logs\smartscreen.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\logs\system.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\logs\userinit.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\21b1a557fd31cc Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_1zyasyyf.keo.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_32jvo4vu.gze.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_avvlltdu.qth.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_jdxhbp2u.pdf.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\djzwiu8mj3.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\eemdb2d7ou Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ftrekemili Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kair0xoi7c.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\lweawztjkr Generic Write,Read Attributes
c:\users\user\appdata\local\temp\oprv074rjp.bat Generic Write,Read Attributes
c:\users\user\dashost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\documents\märklindipswitch\89d24977cb674c15206d6f9b6d3873b6b01b5e80_0000912384.log Generic Write,Read Attributes
c:\users\user\downloads\0b09c1e5c91e45 Generic Write,Read Attributes
c:\users\user\downloads\91e168f4ec1147 Generic Write,Read Attributes
c:\users\user\downloads\9e8d7a4ca61bd9 Generic Write,Read Attributes
c:\users\user\downloads\af09d8410bc95c Generic Write,Read Attributes
c:\users\user\downloads\b748e7ddd51b9ce245581a6016dea59c6ea8354c_0002103296 Synchronize,Write Attributes
c:\users\user\downloads\b748e7ddd51b9ce245581a6016dea59c6ea8354c_0002103296 Synchronize,Write Data
c:\users\user\downloads\cd89ddd3d81b06 Generic Write,Read Attributes

60 additional files are not displayed above.

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::mousocoreworker "C:\sandbox_local\MoUsoCoreWorker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::mousocoreworker "C:\sandbox_local\MoUsoCoreWorker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::sandboxhandler "C:\Windows\CbsTemp\SandboxHandler.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::sandboxhandler "C:\Windows\CbsTemp\SandboxHandler.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::xenguestagent "C:\sandbox_stage\mnt\nas\xenguestagent.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::xenguestagent "C:\sandbox_stage\mnt\nas\xenguestagent.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::smss "C:\Recovery\OEM\smss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::smss "C:\Recovery\OEM\smss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::userinit "C:\startup_test\logs\userinit.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::userinit "C:\startup_test\logs\userinit.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_live\logs\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_live\logs\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::sppextcomobj "C:\Users\user\downloads\SppExtComObj.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::sppextcomobj "C:\Users\user\downloads\SppExtComObj.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::system "C:\startup_test\logs\System.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::system "C:\startup_test\logs\System.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::fontdrvhost "C:\Program Files (x86)\Microsoft\EdgeCore\138.0.3351.55\EBWebView\x64\fontdrvhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::fontdrvhost "C:\Program Files (x86)\Microsoft\EdgeCore\138.0.3351.55\EBWebView\x64\fontdrvhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::sandboxhandler "C:\startup_test\logs\SandboxHandler.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::sandboxhandler "C:\startup_test\logs\SandboxHandler.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::system "C:\Program Files (x86)\microsoft\edgecore\138.0.3351.55\ebwebview\x64\System.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::system "C:\Program Files (x86)\microsoft\edgecore\138.0.3351.55\ebwebview\x64\System.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::shellexperiencehost "C:\Users\user\downloads\ShellExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::shellexperiencehost "C:\Users\user\downloads\ShellExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_live\logs\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_live\logs\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\Windows\CbsTemp\SandboxHandler.exe", "C:\sandbox_stage\mnt\nas\xengues RegNtPreCreateKey
HKCU\software\9a38e4d2bfa9ca620cf2ddcc0f53a6589279a9b7::01fb54967598851fa627bcf84d2cc6db3938ab22 WyJjOlxcdXNlcnNcXHVzZXJcXGRvd25sb2Fkc1xcYzBmYzRmZjU0YTZjZmFhODJjNWQ4NzZiYjA2ODMyYTBiZmQxMTE0OV8wMDAxNjYxOTUyLmV4ZSIsIkM6XFxzYW5k RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::conhost "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::conhost "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe", "C:\sandbox_local\MoUsoCoreWorker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::csrss "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::csrss "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe", "C:\sandbox_local\MoUsoCoreWorker.exe", "C:\P RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::xenguestagent "C:\Program Files (x86)\windows sidebar\shared gadgets\xenguestagent.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::xenguestagent "C:\Program Files (x86)\windows sidebar\shared gadgets\xenguestagent.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::startmenuexperiencehost "C:\sandbox_local\StartMenuExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::startmenuexperiencehost "C:\sandbox_local\StartMenuExperienceHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::csrss "C:\sandbox_local\csrss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::csrss "C:\sandbox_local\csrss.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::tiworker "C:\Program Files\windows photo viewer\en-us\TiWorker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::tiworker "C:\Program Files\windows photo viewer\en-us\TiWorker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::sihost "C:\Recovery\OEM\sihost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::sihost "C:\Recovery\OEM\sihost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::searchapp "C:\Windows\LiveKernelReports\SearchApp.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::searchapp "C:\Windows\LiveKernelReports\SearchApp.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::idle "C:\startup_test\logs\Idle.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::idle "C:\startup_test\logs\Idle.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::phoneexperiencehost "C:\sandbox_live\logs\PhoneExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::phoneexperiencehost "C:\sandbox_live\logs\PhoneExperienceHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\Program Files\windows photo viewer\en-us\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\Program Files\windows photo viewer\en-us\RuntimeBroker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::trustedinstaller "C:\Windows\livekernelreports\TrustedInstaller.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::trustedinstaller "C:\Windows\livekernelreports\TrustedInstaller.exe" RegNtPreCreateKey
HKCU\software\9a38e4d2bfa9ca620cf2ddcc0f53a6589279a9b7::01fb54967598851fa627bcf84d2cc6db3938ab22 WyJjOlxcdXNlcnNcXHVzZXJcXGRvd25sb2Fkc1xcYzBmYzRmZjU0YTZjZmFhODJjNWQ4NzZiYjA2ODMyYTBiZmQxMTE0OV8wMDAxNjYxOTUyLmV4ZSIsIkM6XFxQcm9n RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::phoneexperiencehost "C:\startup_test\logs\PhoneExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::phoneexperiencehost "C:\startup_test\logs\PhoneExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\startup_test\logs\PhoneExperienceHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::xenbus_monitor_9_1_8_88 "C:\Users\user\downloads\xenbus_monitor_9_1_8_88.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::xenbus_monitor_9_1_8_88 "C:\Users\user\downloads\xenbus_monitor_9_1_8_88.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\startup_test\logs\PhoneExperienceHost.exe", "C:\Users\user\downloads\xenbus_monitor_9_1_8_88.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::shellexperiencehost "C:\sandbox_local\ShellExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::shellexperiencehost "C:\sandbox_local\ShellExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\startup_test\logs\PhoneExperienceHost.exe", "C:\Users\user\downloads\xenbus_monitor_9_1_8_88.exe", "C:\sandbox RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::smartscreen "C:\startup_test\logs\smartscreen.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::smartscreen "C:\startup_test\logs\smartscreen.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::smartscreen "C:\sandbox_live\logs\smartscreen.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::smartscreen "C:\sandbox_live\logs\smartscreen.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::lsass "C:\Program Files\Windows Multimedia Platform\lsass.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::lsass "C:\Program Files\Windows Multimedia Platform\lsass.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::wmiadap "C:\Recovery\OEM\WMIADAP.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::wmiadap "C:\Recovery\OEM\WMIADAP.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_stage\logs\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_stage\logs\RuntimeBroker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::91fa67458c55524fd9659662b348794fb6bb08b3_0001066496 "C:\Recovery\oem\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::91fa67458c55524fd9659662b348794fb6bb08b3_0001066496 "C:\Recovery\oem\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::conhost "C:\startup_test\logs\conhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::conhost "C:\startup_test\logs\conhost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::91fa67458c55524fd9659662b348794fb6bb08b3_0001066496 "C:\Program Files (x86)\Windows Portable Devices\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::91fa67458c55524fd9659662b348794fb6bb08b3_0001066496 "C:\Program Files (x86)\Windows Portable Devices\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::sandboxhandler "C:\sandbox_stage\logs\SandboxHandler.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::sandboxhandler "C:\sandbox_stage\logs\SandboxHandler.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::dashost "C:\Program Files\windows multimedia platform\dasHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::dashost "C:\Program Files\windows multimedia platform\dasHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::wmiprvse "C:\sandbox_stage\logs\WmiPrvSE.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::wmiprvse "C:\sandbox_stage\logs\WmiPrvSE.exe" RegNtPreCreateKey
HKCU\software\395e79bb499256c7eec07fdb7477390a620721ae::40a118e2701fa1a16353e5d4a38ae5d73e176a93 WyJjOlxcdXNlcnNcXHVzZXJcXGRvd25sb2Fkc1xcOTFmYTY3NDU4YzU1NTI0ZmQ5NjU5NjYyYjM0ODc5NGZiNmJiMDhiM18wMDAxMDY2NDk2LmV4ZSIsIkM6XFxzdGFy RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::consentpromptbehavioradmin RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::promptonsecuredesktop RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\action center\checks\{c8e6f269-b90a-4053-a3be-499afcec98c4}.check.0::checksetting #ACBlob RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\Program Files (x86)\Internet Explorer\en-US\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\Program Files (x86)\Internet Explorer\en-US\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\Internet Explorer\en-US\RuntimeBroker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::winlogon "C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::winlogon "C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\Internet Explorer\en-US\RuntimeBroker.exe", "C:\Program Files\Reference Assemblies\Microso RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::tiworker "C:\sandbox_live\logs\TiWorker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::tiworker "C:\sandbox_live\logs\TiWorker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::tiworker "C:\Users\user\downloads\TiWorker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::tiworker "C:\Users\user\downloads\TiWorker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::registry "C:\sandbox_live\logs\Registry.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::registry "C:\sandbox_live\logs\Registry.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::backgroundtaskhost "C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\backgroundTaskHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::backgroundtaskhost "C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\backgroundTaskHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::startmenuexperiencehost "C:\Recovery\OEM\StartMenuExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::startmenuexperiencehost "C:\Recovery\OEM\StartMenuExperienceHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::xenguestagent "C:\Program Files (x86)\internet explorer\en-us\xenguestagent.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::xenguestagent "C:\Program Files (x86)\internet explorer\en-us\xenguestagent.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_local\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\sandbox_local\RuntimeBroker.exe" RegNtPreCreateKey
HKCU\software\0b10b8de81802bd97fc789733ddf88860c8f0406::8f9510c4b8f19510d9ee8e56183d26e046a194e6 WyJjOlxcdXNlcnNcXHVzZXJcXGRvd25sb2Fkc1xcYjc0OGU3ZGRkNTFiOWNlMjQ1NTgxYTYwMTZkZWE1OWM2ZWE4MzU0Y18wMDAyMTAzMjk2IiwiQzpcXFByb2dyYW0g RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\applicationassociationtoasts::vbefile_.vbe RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\wscript.exe.friendlyappname Microsoft ® Windows Based Script Host RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\wscript.exe.applicationcompany Microsoft Corporation RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 ȁच龡^a紘Ç獖}f좟Ê RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::startmenuexperiencehost "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\StartMenuE RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::startmenuexperiencehost "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\StartMenuE RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::fontdrvhost "C:\Program Files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\fontdrvhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::fontdrvhost "C:\Program Files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\fontdrvhost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::dllhost "C:\Recovery\OEM\dllhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::dllhost "C:\Recovery\OEM\dllhost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::winlogon "C:\sandbox_local\winlogon.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::winlogon "C:\sandbox_local\winlogon.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::searchapp "C:\sandbox_local\SearchApp.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::searchapp "C:\sandbox_local\SearchApp.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::xenguestagent "C:\Program Files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\msft_packagemanagement\en-us\xenguestag RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::xenguestagent "C:\Program Files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\dscresources\msft_packagemanagement\en-us\xenguestag RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::sihost "C:\sandbox_local\sihost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::sihost "C:\sandbox_local\sihost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::phoneexperiencehost "C:\Users\user\downloads\PhoneExperienceHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::phoneexperiencehost "C:\Users\user\downloads\PhoneExperienceHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::services "C:\sandbox_local\services.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::services "C:\sandbox_local\services.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::sgrmbroker "C:\Users\user\downloads\SgrmBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::sgrmbroker "C:\Users\user\downloads\SgrmBroker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::dashost "C:\Users\user\dasHost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::dashost "C:\Users\user\dasHost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::taskhostw "C:\Program Files\Windows Photo Viewer\en-US\taskhostw.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::taskhostw "C:\Program Files\Windows Photo Viewer\en-US\taskhostw.exe" RegNtPreCreateKey
HKCU\software\f3ec42ef7952f60457828817b890261636922659::2ddf5efb83bfbb15d2aaaefaa6560ada7f1413c0 WyJjOlxcdXNlcnNcXHVzZXJcXGRvd25sb2Fkc1xcNGM3ZDE1NDY2NDMyNGRlMmMzNzI2OWQ4NDE0NmMwNzFmMDBjZDg2NF8wMDAxMjIzNjgwIiwiQzpcXFByb2dyYW0g RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::csrss "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\csrss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::csrss "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\csrss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\csrss.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::fontdrvhost "C:\sandbox_live\logs\fontdrvhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::fontdrvhost "C:\sandbox_live\logs\fontdrvhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\csrss.exe", "C:\sandbox_live\logs\fontdrvhost.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::trustedinstaller "C:\Windows\Downloaded Program Files\TrustedInstaller.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::trustedinstaller "C:\Windows\Downloaded Program Files\TrustedInstaller.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::shell explorer.exe, "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\csrss.exe", "C:\sandbox_live\logs\fontdrvhost.exe", RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::lsass "C:\Recovery\OEM\lsass.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::lsass "C:\Recovery\OEM\lsass.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::csrss "C:\Recovery\oem\csrss.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::csrss "C:\Recovery\oem\csrss.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\Users\user\downloads\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\Users\user\downloads\RuntimeBroker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::runtimebroker "C:\Windows\downloaded program files\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::runtimebroker "C:\Windows\downloaded program files\RuntimeBroker.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::conhost "C:\Program Files (x86)\windowspowershell\configuration\schema\conhost.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::conhost "C:\Program Files (x86)\windowspowershell\configuration\schema\conhost.exe" RegNtPreCreateKey
HKCU\software\022ed3c920e502da48d06ddd541c35ec9a2fd1d3::72c091cc382432e9319a2201659c4c6512925458 WyJjOlxcdXNlcnNcXHVzZXJcXGRvd25sb2Fkc1xcODc2YWZiYTMxNTE1NWUwMjU2ZjM3Mzk1ZmQ3NjQ1NmUxZTdmODVmMV8wMDAxNzc5MjAwIiwiQzpcXFByb2dyYW0g RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 稒䲓ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䟽稕䲓ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꩊ稗䲓ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ೢ稚䲓ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 톖稞䲓ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 嫟稨䲓ǜ RegNtPreCreateKey

53 additional registry modifications are not displayed above.

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
Show More
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetContextThread
  • ntdll.dll!NtGetWriteWatch
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResetWriteWatch
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetContextThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSetValueKey

43 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
  • OpenClipboard
Other Suspicious
  • AdjustTokenPrivileges
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
  • NtQuerySystemInformation
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
Network Winsock
  • closesocket
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory

Shell Command Execution

"powershell" -Command Add-MpPreference -ExclusionPath 'c:\users\user\downloads\c0fc4ff54a6cfaa82c5d876bb06832a0bfd11149_0001661952.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_local\MoUsoCoreWorker.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\SandboxHandler.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_stage\mnt\nas\xenguestagent.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\smss.exe'
Show More
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\startup_test\logs\userinit.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_live\logs\RuntimeBroker.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\downloads\SppExtComObj.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\startup_test\logs\System.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeCore\138.0.3351.55\EBWebView\x64\fontdrvhost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\startup_test\logs\SandboxHandler.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft\edgecore\138.0.3351.55\ebwebview\x64\System.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\downloads\ShellExperienceHost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_live\logs\RuntimeBroker.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows sidebar\shared gadgets\xenguestagent.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_local\StartMenuExperienceHost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_local\csrss.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\windows photo viewer\en-us\TiWorker.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\sihost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\SearchApp.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\startup_test\logs\Idle.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_live\logs\PhoneExperienceHost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\windows photo viewer\en-us\RuntimeBroker.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\livekernelreports\TrustedInstaller.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'c:\users\user\downloads\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\startup_test\logs\PhoneExperienceHost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\downloads\xenbus_monitor_9_1_8_88.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_local\ShellExperienceHost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\startup_test\logs\smartscreen.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_live\logs\smartscreen.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\lsass.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\WMIADAP.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_stage\logs\RuntimeBroker.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\oem\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\startup_test\logs\conhost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\91fa67458c55524fd9659662b348794fb6bb08b3_0001066496.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_stage\logs\SandboxHandler.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\windows multimedia platform\dasHost.exe'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\sandbox_stage\logs\WmiPrvSE.exe'
(NULL) C:\savesDllcommon\mJHSJDB8qaxRvU.vbe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/sandbox_live/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/sandbox_local/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/sandbox_stage/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/startup_test/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

Trending

Most Viewed

Loading...