gozi | 336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe
Size

526KB
MD5

7afb45ac5810698b4f3d8bc49e5d02c9
SHA1

82ac0b36bc447b697a907067a4163f4904d8ab25
SHA256

336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798
SHA512

d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21
SSDEEP

12288:Y3oGlmVDxLpA4pxc7wak9J5Q4xyhdG0++sVMJG2T7D/mxeT6xY:bVDZi4QEakn5PS+yFTXmAOxY

Score

10^/10

gozi banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215798

rsa_pubkey.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3616	BioCtons.exe
4540	BioCtons.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Certvfat = "C:\\Users\\Admin\\AppData\\Roaming\\aviftcli\\BioCtons.exe"	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3948 set thread context of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3616 set thread context of 4540	3616	BioCtons.exe	102
PID 4540 set thread context of 2092	4540	BioCtons.exe	103
PID 2092 set thread context of 3376	2092	svchost.exe	56
PID 3376 set thread context of 3884	3376	Explorer.EXE	60
PID 3376 set thread context of 4092	3376	Explorer.EXE	62
PID 3376 set thread context of 4040	3376	Explorer.EXE	76
PID 3376 set thread context of 2388	3376	Explorer.EXE	85
PID 3376 set thread context of 4908	3376	Explorer.EXE	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BioCtons.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BioCtons.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	BioCtons.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	BioCtons.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4974d507-41e0-4671	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7658cea9-38fc-4875 = d7cf92c98c29db01	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69e42b2e-4bad-4e4f	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8a51107-dae4-41d8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8d42714-d71f-40d1	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8d42714-d71f-40d1 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7658cea9-38fc-4875 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1bf9c3e5-1f32-4c86 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1bf9c3e5-1f32-4c86 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000cfec5cc78c29db01cfec5cc78c29db01cfec5cc78c29db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000303637623330636636613033613133333234306461356131363635323239663330623930633433623233613964396631383135303064303762663366386332350000b20009000400efbe5c5932b75c5932b72e0000000000000000000000000000000000000000000000000031435400300036003700620033003000630066003600610030003300610031003300330032003400300064006100350061003100360036003500320032003900660033003000620039003000630034003300620032003300610039006400390066003100380031003500300030006400300037006200660033006600380063003200350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30363762333063663661303361313333323430646135613136363532323966333062393063343362323361396439663138313530306430376266336638633235000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f81f69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f81f69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\906447bc-39ba-4792 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ea9c6dc78c29db01ea9c6dc78c29db01ea9c6dc78c29db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000616466353933323136333763303933623036333833396235373034343536383832636135386135633939363237653361376361313532666334616338616465620000b20009000400efbe5c5932b75c5932b72e0000000000000000000000000000000000000000000000000016934300610064006600350039003300320031003600330037006300300039003300620030003600330038003300390062003500370030003400340035003600380038003200630061003500380061003500630039003900360032003700650033006100370063006100310035003200660063003400610063003800610064006500620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61646635393332313633376330393362303633383339623537303434353638383263613538613563393936323765336137636131353266633461633861646562000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f83f69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f83f69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7658cea9-38fc-4875 = "\\\\?\\Volume{48D314F9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ead69b21b39925b2db56f31c59b49ea67954824fa9fb2f189662907328a21366"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\906447bc-39ba-4792	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\906447bc-39ba-4792 = 5aaf72c78c29db01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\861f4bc4-fa29-4173 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\576c6c7c-8877-43c3 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001a8798c78c29db0126865dc98c29db0126865dc98c29db015ffd02000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000646264623264646238616430616231656265313831393334386165393834663363646231373262306330353531366264646439633765613938633635613664370000b20009000400efbe5c5932b75c5932b72e00000000000000000000000000000000000000000000000000461c4d00640062006400620032006400640062003800610064003000610062003100650062006500310038003100390033003400380061006500390038003400660033006300640062003100370032006200300063003000350035003100360062006400640064003900630037006500610039003800630036003500610036006400370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64626462326464623861643061623165626531383139333438616539383466336364623137326230633035353136626464643963376561393863363561366437000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f8df69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f8df69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\576c6c7c-8877-43c3 = "\\\\?\\Volume{48D314F9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dbdb2ddb8ad0ab1ebe1819348ae984f3cdb172b0c05516bddd9c7ea98c65a6d7"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a1a33a04-8183-437c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7658cea9-38fc-4875 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7658cea9-38fc-4875 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000af4abcc78c29db012f0f86c98c29db012f0f86c98c29db01c52d09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000656164363962323162333939323562326462353666333163353962343965613637393534383234666139666232663138393636323930373332386132313336360000b20009000400efbe5c5932b75c5932b72e000000000000000000000000000000000000000000000000005da63700650061006400360039006200320031006200330039003900320035006200320064006200350036006600330031006300350039006200340039006500610036003700390035003400380032003400660061003900660062003200660031003800390036003600320039003000370033003200380061003200310033003600360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65616436396232316233393932356232646235366633316335396234396561363739353438323466613966623266313839363632393037333238613231333636000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f8ff69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f8ff69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4974d507-41e0-4671	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4974d507-41e0-4671 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\66fc9da4-6fd2-4ef6	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8a51107-dae4-41d8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\576c6c7c-8877-43c3 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7658cea9-38fc-4875	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\906447bc-39ba-4792	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61c2a070-8497-40ab = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d063651e-ff4b-4cf0 = "\\\\?\\Volume{48D314F9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\adf59321637c093b063839b5704456882ca58a5c99627e3a7ca152fc4ac8adeb"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\906447bc-39ba-4792 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4974d507-41e0-4671 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a1a33a04-8183-437c	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662d5ad8-c0a7-494a	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a1a33a04-8183-437c = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61c2a070-8497-40ab	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61c2a070-8497-40ab = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8531ed08-f2d4-4a82	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d063651e-ff4b-4cf0 = a42b3ac98c29db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8a51107-dae4-41d8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8a51107-dae4-41d8 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\906447bc-39ba-4792 = "\\\\?\\Volume{48D314F9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\adf59321637c093b063839b5704456882ca58a5c99627e3a7ca152fc4ac8adeb"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\861f4bc4-fa29-4173 = 8c2e79c78c29db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d063651e-ff4b-4cf0 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8d42714-d71f-40d1	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1bf9c3e5-1f32-4c86	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\861f4bc4-fa29-4173 = "\\\\?\\Volume{48D314F9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\378aaac7388715ce95a150a870d4059029e782ad883e80ee8bc33a36b7e1261f"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8531ed08-f2d4-4a82 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a38979c78c29db01a38979c78c29db01a38979c78c29db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000656164363962323162333939323562326462353666333163353962343965613637393534383234666139666232663138393636323930373332386132313336360000b20009000400efbe5c5932b75c5932b72e000000000000000000000000000000000000000000000000005da63700650061006400360039006200320031006200330039003900320035006200320064006200350036006600330031006300350039006200340039006500610036003700390035003400380032003400660061003900660062003200660031003800390036003600320039003000370033003200380061003200310033003600360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65616436396232316233393932356232646235366633316335396234396561363739353438323466613966623266313839363632393037333238613231333636000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f86f69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f86f69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61c2a070-8497-40ab = c003c7c88c29db01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a1a33a04-8183-437c = faf07ac98c29db01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8531ed08-f2d4-4a82 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d063651e-ff4b-4cf0	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\576c6c7c-8877-43c3 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4974d507-41e0-4671 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000555fb0c78c29db014818adc88c29db014818adc88c29db0127f402000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000303637623330636636613033613133333234306461356131363635323239663330623930633433623233613964396631383135303064303762663366386332350000b20009000400efbe5c5932b75c5932b72e0000000000000000000000000000000000000000000000000031435400300036003700620033003000630066003600610030003300610031003300330032003400300064006100350061003100360036003500320032003900660033003000620039003000630034003300620032003300610039006400390066003100380031003500300030006400300037006200660033006600380063003200350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30363762333063663661303361313333323430646135613136363532323966333062393063343362323361396439663138313530306430376266336638633235000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f8bf69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f8bf69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\576c6c7c-8877-43c3 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4974d507-41e0-4671 = "\\\\?\\Volume{48D314F9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\067b30cf6a03a133240da5a1665229f30b90c43b23a9d9f181500d07bf3f8c25"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61c2a070-8497-40ab = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fc23b5c78c29db01cef1a5c88c29db01cef1a5c88c29db012c5808000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000333738616161633733383837313563653935613135306138373064343035393032396537383261643838336538306565386263333361333662376531323631660000b20009000400efbe5c5932b75c5932b72e0000000000000000000000000000000000000000000000000064093a00330037003800610061006100630037003300380038003700310035006300650039003500610031003500300061003800370030006400340030003500390030003200390065003700380032006100640038003800330065003800300065006500380062006300330033006100330036006200370065003100320036003100660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33373861616163373338383731356365393561313530613837306434303539303239653738326164383833653830656538626333336133366237653132363166000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f8af69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f8af69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d063651e-ff4b-4cf0	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d063651e-ff4b-4cf0 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000072d5a6c78c29db010e772bc98c29db010e772bc98c29db01ee6b0b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005c5932b72000616466353933323136333763303933623036333833396235373034343536383832636135386135633939363237653361376361313532666334616338616465620000b20009000400efbe5c5932b75c5932b72e0000000000000000000000000000000000000000000000000016934300610064006600350039003300320031003600330037006300300039003300620030003600330038003300390062003500370030003400340035003600380038003200630061003500380061003500630039003900360032003700650033006100370063006100310035003200660063003400610063003800610064006500620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000002b3f0c691000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61646635393332313633376330393362303633383339623537303434353638383263613538613563393936323765336137636131353266633461633861646562000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067756d6c6e6c66650000000000000000b23e7cc109c0974eb9fefc474f09270f8cf69e8f9784ef11b9b64a034d48373cb23e7cc109c0974eb9fefc474f09270f8cf69e8f9784ef11b9b64a034d48373cd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003000340035003900360030003500310032002d0033003900340038003800340034003800310034002d0033003000350039003600390031003600310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f914d348000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8d42714-d71f-40d1 = "\\\\?\\Volume{48D314F9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f139911e0e73987ef966603619eb942eb9bea6763f8fa162422abae9069026bf"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\861f4bc4-fa29-4173 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8531ed08-f2d4-4a82 = 04677dc78c29db01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a1a33a04-8183-437c	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21ec6c1c-61f6-4dff	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4540	BioCtons.exe
4540	BioCtons.exe
3376	Explorer.EXE
3376	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4540	BioCtons.exe
2092	svchost.exe
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3884	RuntimeBroker.exe
Token: SeShutdownPrivilege	3884	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3376	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3376	Explorer.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3948 wrote to memory of 3744	3948	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	97
PID 3744 wrote to memory of 916	3744	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	98
PID 3744 wrote to memory of 916	3744	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	98
PID 3744 wrote to memory of 916	3744	7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe	98
PID 916 wrote to memory of 3976	916	cmd.exe	100
PID 916 wrote to memory of 3976	916	cmd.exe	100
PID 916 wrote to memory of 3976	916	cmd.exe	100
PID 3976 wrote to memory of 3616	3976	cmd.exe	101
PID 3976 wrote to memory of 3616	3976	cmd.exe	101
PID 3976 wrote to memory of 3616	3976	cmd.exe	101
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 3616 wrote to memory of 4540	3616	BioCtons.exe	102
PID 4540 wrote to memory of 2092	4540	BioCtons.exe	103
PID 4540 wrote to memory of 2092	4540	BioCtons.exe	103
PID 4540 wrote to memory of 2092	4540	BioCtons.exe	103
PID 4540 wrote to memory of 2092	4540	BioCtons.exe	103
PID 4540 wrote to memory of 2092	4540	BioCtons.exe	103
PID 2092 wrote to memory of 3376	2092	svchost.exe	56
PID 2092 wrote to memory of 3376	2092	svchost.exe	56
PID 2092 wrote to memory of 3376	2092	svchost.exe	56
PID 3376 wrote to memory of 3884	3376	Explorer.EXE	60
PID 3376 wrote to memory of 3884	3376	Explorer.EXE	60
PID 3376 wrote to memory of 3884	3376	Explorer.EXE	60
PID 3376 wrote to memory of 4092	3376	Explorer.EXE	62
PID 3376 wrote to memory of 4092	3376	Explorer.EXE	62
PID 3376 wrote to memory of 4092	3376	Explorer.EXE	62
PID 3376 wrote to memory of 4040	3376	Explorer.EXE	76
PID 3376 wrote to memory of 4040	3376	Explorer.EXE	76
PID 3376 wrote to memory of 4040	3376	Explorer.EXE	76
PID 3376 wrote to memory of 2388	3376	Explorer.EXE	85
PID 3376 wrote to memory of 2388	3376	Explorer.EXE	85
PID 3376 wrote to memory of 2388	3376	Explorer.EXE	85
PID 3376 wrote to memory of 4908	3376	Explorer.EXE	86
PID 3376 wrote to memory of 4908	3376	Explorer.EXE	86
PID 3376 wrote to memory of 4908	3376	Explorer.EXE	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7afb45ac5810698b4f3d8bc49e5d02c9_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7CFA\BE7D.bat" "C:\Users\Admin\AppData\Roaming\aviftcli\BioCtons.exe" "C:\Users\Admin\AppData\Local\Temp\7AFB45~1.EXE""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C ""C:\Users\Admin\AppData\Roaming\aviftcli\BioCtons.exe" "C:\Users\Admin\AppData\Local\Temp\7AFB45~1.EXE""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Users\Admin\AppData\Roaming\aviftcli\BioCtons.exe
        
        "C:\Users\Admin\AppData\Roaming\aviftcli\BioCtons.exe" "C:\Users\Admin\AppData\Local\Temp\7AFB45~1.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\aviftcli\BioCtons.exe
        
        "C:\Users\Admin\AppData\Roaming\aviftcli\BioCtons.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2388

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7CFA\BE7D.bat

Filesize
112B

MD5
91a9be04bb7024577606ca65c001ceb7

SHA1
3ccddb7255e5496eb6e68d881eae3c5822eb60f7

SHA256
f78701b1ad45b1cbb3b0a736e09bd1781ab25bf0d71787719423ca2fc4aa4db7

SHA512
b5dcb0db708ef89f4c05c9be34c037a2af4dd7d4b837eb2146f9ba7fb71220a790f61b6c3f5f1bb2481792798337150e67789c741382673218fb30f080251ea5

Download Submit
C:\Users\Admin\AppData\Roaming\aviftcli\BioCtons.exe

Filesize
526KB

MD5
7afb45ac5810698b4f3d8bc49e5d02c9

SHA1
82ac0b36bc447b697a907067a4163f4904d8ab25

SHA256
336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

SHA512
d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21

Download Submit
memory/2092-28-0x0000000000C10000-0x0000000000D14000-memory.dmp

Filesize
1.0MB

Download
memory/2092-30-0x0000000000C10000-0x0000000000D14000-memory.dmp

Filesize
1.0MB

Download
memory/2092-22-0x0000000000C10000-0x0000000000D14000-memory.dmp

Filesize
1.0MB

Download
memory/2092-21-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2388-73-0x0000020767360000-0x0000020767464000-memory.dmp

Filesize
1.0MB

Download
memory/2388-60-0x0000020767360000-0x0000020767464000-memory.dmp

Filesize
1.0MB

Download
memory/2388-56-0x0000020767360000-0x0000020767464000-memory.dmp

Filesize
1.0MB

Download
memory/3376-62-0x0000000007EA0000-0x0000000007FA4000-memory.dmp

Filesize
1.0MB

Download
memory/3376-29-0x0000000007EA0000-0x0000000007FA4000-memory.dmp

Filesize
1.0MB

Download
memory/3376-36-0x0000000007EA0000-0x0000000007FA4000-memory.dmp

Filesize
1.0MB

Download
memory/3376-35-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3376-70-0x0000000007EA0000-0x0000000007FA4000-memory.dmp

Filesize
1.0MB

Download
memory/3376-65-0x0000000007EA0000-0x0000000007FA4000-memory.dmp

Filesize
1.0MB

Download
memory/3376-67-0x0000000007EA0000-0x0000000007FA4000-memory.dmp

Filesize
1.0MB

Download
memory/3376-68-0x0000000007EA0000-0x0000000007FA4000-memory.dmp

Filesize
1.0MB

Download
memory/3744-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3744-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3744-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3744-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3884-44-0x000002458C200000-0x000002458C304000-memory.dmp

Filesize
1.0MB

Download
memory/3884-40-0x000002458C200000-0x000002458C304000-memory.dmp

Filesize
1.0MB

Download
memory/3884-45-0x000002458C200000-0x000002458C304000-memory.dmp

Filesize
1.0MB

Download
memory/3884-72-0x000002458C200000-0x000002458C304000-memory.dmp

Filesize
1.0MB

Download
memory/4040-51-0x000001DEF7300000-0x000001DEF7404000-memory.dmp

Filesize
1.0MB

Download
memory/4040-55-0x000001DEF7300000-0x000001DEF7404000-memory.dmp

Filesize
1.0MB

Download
memory/4092-50-0x0000027D6DA00000-0x0000027D6DB04000-memory.dmp

Filesize
1.0MB

Download
memory/4092-46-0x0000027D6DA00000-0x0000027D6DB04000-memory.dmp

Filesize
1.0MB

Download
memory/4540-27-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4540-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4908-61-0x000002BB5D600000-0x000002BB5D704000-memory.dmp

Filesize
1.0MB

Download
memory/4908-69-0x000002BB5D600000-0x000002BB5D704000-memory.dmp

Filesize
1.0MB

Download