magniber | 6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SYSTEM.Security.Database.Upgrade.Win10.0.jse
Size

185KB
MD5

f6d2fc78661b55258fb704f66c9949e4
SHA1

7c4608440e4afcb032890edd4deef18a0ce3c8dd
SHA256

6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c
SHA512

9f66641f19e8046b19f7bffa056ec3e677aae853102dded94c22665381d0d2b65334c16c74d7b64df319b1518931d6ad281ad86c1fbc67ee6ba1984f67506dce
SSDEEP

3072:dthtQYzUz8giIajyEPeR00t/+DYhRkEIKf+6yr3S1IuIDbHBX66vPYH/J25gfgbD:z73zUz8gCjyUeihSRkCy3H36HxgbD

Score

10^/10

magniber evasion persistence ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4796-134-0x0000011BC9BE0000-0x0000011BCABE0000-memory.dmp	family_magniber
behavioral2/memory/2300-135-0x0000022AB96F0000-0x0000022AB96FA000-memory.dmp	family_magniber
behavioral2/memory/4796-147-0x0000011BC9BE0000-0x0000011BCABE0000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	3836	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	3836	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3836	wbadmin.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	3836	wbadmin.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3836	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3836	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3836	wbadmin.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3836	wbadmin.exe	53

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
1240	bcdedit.exe
2604	bcdedit.exe
3608	bcdedit.exe
1988	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exe

pid	Process
1140	wbadmin.exe
2160	wbadmin.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exe

pid	Process
4912	wbadmin.exe
4812	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhostw.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PublishStop.tif => C:\Users\Admin\Pictures\PublishStop.tif.kzyfukvrt	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\SwitchImport.tif => C:\Users\Admin\Pictures\SwitchImport.tif.kzyfukvrt	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\AssertRead.raw => C:\Users\Admin\Pictures\AssertRead.raw.kzyfukvrt	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\NewShow.raw => C:\Users\Admin\Pictures\NewShow.raw.kzyfukvrt	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\UseRename.raw => C:\Users\Admin\Pictures\UseRename.raw.kzyfukvrt	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\BackupRequest.png => C:\Users\Admin\Pictures\BackupRequest.png.kzyfukvrt	taskhostw.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4800	3220	WerFault.exe	44
2336	3024	WerFault.exe	68

Checks SCSI registry key(s) 3 TTPs 40 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exevds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeexplorer.exesihost.exetaskhostw.exeRuntimeBroker.exesvchost.exeRuntimeBroker.exeExplorer.EXEsvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\64897590-46cc-4178- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c7609c7a-3905-402e- = be98e43c9fc8d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44de0f95-6d0a-4f9f- = bfc1d93a9fc8d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8b1ad1c8-3c96-4cd9-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0841aee-f579-4c09-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44de0f95-6d0a-4f9f- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b66024b3-f117-4e9b- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c7609c7a-3905-402e- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009405c93b9fc8d80119f2123c9fc8d80119f2123c9fc8d801d88206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55ab082000376531336532383736356238303330323438626435343638623838373538623665356431313965653336633732633232306438323339623730313838646539610000b20009000400efbe2f55ab082f55ab082e00000000000000000000000000000000000000000000000000d9505500370065003100330065003200380037003600350062003800300033003000320034003800620064003500340036003800620038003800370035003800620036006500350064003100310039006500650033003600630037003200630032003200300064003800320033003900620037003000310038003800640065003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000671b2ee1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37653133653238373635623830333032343862643534363862383837353862366535643131396565333663373263323230643832333962373031383864653961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f21b6e9110f029ed11a0ee5286b00c305180c72b02b50e1340bd556b93270e57f21b6e9110f029ed11a0ee5286b00c3051ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\71019831-2be4-4507- = 16dbab3a9fc8d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\64897590-46cc-4178-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b66024b3-f117-4e9b- = cdb4933c9fc8d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44de0f95-6d0a-4f9f-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84ad2f9e-2136-49fb- = de05f83a9fc8d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9802ecf1-5939-4b44- = 7d822f3c9fc8d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9802ecf1-5939-4b44- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d9f1945c462dbf5ffc978f6eab93928c0c7c1aeb7fd6acfb4a96e53598f75df6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8b1ad1c8-3c96-4cd9- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\64897590-46cc-4178- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\44de0f95-6d0a-4f9f-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6279a377-fad2-4566-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\71019831-2be4-4507- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8b1ad1c8-3c96-4cd9- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f1de2112a781cf82df7a8a7763adecc678f6c395f22b664cfcf2dd8d2c0eab0c"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6279a377-fad2-4566- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ugyubmozrft.gif"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8b1ad1c8-3c96-4cd9- = 275dee3a9fc8d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84ad2f9e-2136-49fb- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0841aee-f579-4c09- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0841aee-f579-4c09-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9802ecf1-5939-4b44- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000346a8d3b9fc8d801567efd3b9fc8d801567efd3b9fc8d8017d7e1b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55ac082000643966313934356334363264626635666663393738663665616239333932386330633763316165623766643661636662346139366535333539386637356466360000b20009000400efbe2f55ac082f55ac082e000000000000000000000000000000000000000000000000007ee50c01640039006600310039003400350063003400360032006400620066003500660066006300390037003800660036006500610062003900330039003200380063003000630037006300310061006500620037006600640036006100630066006200340061003900360065003500330035003900380066003700350064006600360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000671b2ee1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64396631393435633436326462663566666339373866366561623933393238633063376331616562376664366163666234613936653533353938663735646636000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2186e9110f029ed11a0ee5286b00c305180c72b02b50e1340bd556b93270e57f2186e9110f029ed11a0ee5286b00c3051ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c5d432c-28e9-4aab- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/eekoeksl.gif"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84ad2f9e-2136-49fb-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84ad2f9e-2136-49fb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9802ecf1-5939-4b44- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0841aee-f579-4c09-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\71019831-2be4-4507-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/mcjslakm.gif"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\71019831-2be4-4507-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0841aee-f579-4c09- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c5d432c-28e9-4aab- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6279a377-fad2-4566- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c7609c7a-3905-402e- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2310d82-5ea9-429b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2310d82-5ea9-429b- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid	Process
4796	WScript.exe
4796	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exeexplorer.exe

description	pid	Process
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3392	RuntimeBroker.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3392	RuntimeBroker.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3392	RuntimeBroker.exe
Token: SeShutdownPrivilege	3392	RuntimeBroker.exe
Token: SeShutdownPrivilege	3392	RuntimeBroker.exe
Token: SeBackupPrivilege	636	vssvc.exe
Token: SeRestorePrivilege	636	vssvc.exe
Token: SeAuditPrivilege	636	vssvc.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeBackupPrivilege	5044	wbengine.exe
Token: SeRestorePrivilege	5044	wbengine.exe
Token: SeSecurityPrivilege	5044	wbengine.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

explorer.exe

pid	Process
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exe

pid	Process
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	Process	procid_target
PID 4796 wrote to memory of 2300	4796	WScript.exe	21
PID 4796 wrote to memory of 2324	4796	WScript.exe	80
PID 4796 wrote to memory of 2424	4796	WScript.exe	79
PID 4796 wrote to memory of 3024	4796	WScript.exe	68
PID 4796 wrote to memory of 1328	4796	WScript.exe	67
PID 4796 wrote to memory of 3220	4796	WScript.exe	44
PID 4796 wrote to memory of 3320	4796	WScript.exe	43
PID 4796 wrote to memory of 3392	4796	WScript.exe	42
PID 4796 wrote to memory of 3516	4796	WScript.exe	66
PID 4796 wrote to memory of 3688	4796	WScript.exe	65
PID 4796 wrote to memory of 4580	4796	WScript.exe	63
PID 4796 wrote to memory of 4500	4796	WScript.exe	46
PID 4796 wrote to memory of 3640	4796	WScript.exe	83
PID 732 wrote to memory of 1776	732	cmd.exe	108
PID 732 wrote to memory of 1776	732	cmd.exe	108
PID 1776 wrote to memory of 3672	1776	fodhelper.exe	109
PID 1776 wrote to memory of 3672	1776	fodhelper.exe	109
PID 4544 wrote to memory of 3268	4544	cmd.exe	126
PID 4544 wrote to memory of 3268	4544	cmd.exe	126
PID 3268 wrote to memory of 4952	3268	fodhelper.exe	127
PID 3268 wrote to memory of 4952	3268	fodhelper.exe	127

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3220 -s 1044
  2⤵
  - Program crash
  PID:4800

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4580

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3024
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Security.Database.Upgrade.Win10.0.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4796
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/xyagozu.gif
      4⤵
      PID:4952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3024 -s 2872
  2⤵
  - Program crash
  PID:2336

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2324
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/uvrjullp.gif
      4⤵
      PID:3672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3220 -ip 3220
1⤵
PID:1472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1240

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2604

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4912

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1140

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4600

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3608

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1988

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2160

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3024 -ip 3024
1⤵
PID:5036

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4244

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\DESKTOP\CLOSEOUT.XPS.KZYFUKVRT

Filesize
358KB

MD5
94b0cbffc70a7c3a131c693cda046c55

SHA1
b957207209e07071991020efc6d29044d62ad468

SHA256
9f471af3941f52b2e3bbad293468524afd27d3feb76c337b520469b17dc1b362

SHA512
dbbdd8c02f29eba21260c74fb057b4b945e65b736f811ce5946f63aff25967a66b43d867b70f6be93630583f74ce14ff9355d9c3ef2ab5871848a51c35a7cc5b

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPLETEJOIN.DOTM.KZYFUKVRT

Filesize
682KB

MD5
89873817b0ccd5dafe73062452ed6b43

SHA1
6e560bd3360d5753e8785412ae077b604946ee43

SHA256
ae7267a8a800e3f805d8fa2294dca86c18633ff14435d50b73c0a9b911143bcf

SHA512
91fb05d25bec5bc9417d6f7a65bed539b556eb439b2b70cfa88466c5ad8a06dc7a6cb66ca0c2f6d43f823617af4b87ac47fc8bb69285793398d7229c17257718

Download Submit
C:\USERS\ADMIN\DESKTOP\CONFIRMCOMPARE.JFIF.KZYFUKVRT

Filesize
474KB

MD5
ccee97adbb6b3a6b198d2bc37f853106

SHA1
3f9fb7507a6badbe225813b4bd75b99129b5ea1e

SHA256
0f239c3394af4fb1926cb88dec6a1c8c92ee8b05994c11a63e7a0ec70beb642a

SHA512
871b5698a63bd5aff84996b110450c045c6125cd7f846fc306dacf545fe52896fe8311e9813f3f03d957e8fe19fdcc75e7ba160f32d1eca4874ba1ce67f7b8b7

Download Submit
C:\USERS\ADMIN\DESKTOP\CONNECTSELECT.VBS.KZYFUKVRT

Filesize
798KB

MD5
ebfb53b78b52622c1950491e01ef53c1

SHA1
87c55ec256eeee84daaf9ed3ea86655599f9e891

SHA256
15184f4f02ac8f7fe95de0de9116d3d6e291ea33ad4ee3f7a4b8436c8e64a1ed

SHA512
6ea3527db16d1e5a132730654bb260364586c30d97faf90647de1f7e9ab0c074cc16987f10746de1764979ef3a8e5a4353ebe20fa137e4a099596bfda6bc2d48

Download Submit
C:\USERS\ADMIN\DESKTOP\COPYCONVERTFROM.DOCM.KZYFUKVRT

Filesize
1.3MB

MD5
fc9c9edbadc006a0c9a1b0a6b9387599

SHA1
058dc955494218b45dceeb362a11281def8111f5

SHA256
56a1fa4f6097a1d32ff26cf722e600fd3ce0ac5936bab245f332de35ca849b71

SHA512
d402efc77eb5df27b449a6ade24b3c662504571b2c64a5843f7a90c842c0e480ff776e741095cd1d34666cbcc48e6e1921fb0d5708961922fee187f26abf28c0

Download Submit
C:\USERS\ADMIN\DESKTOP\EXPORTDISMOUNT.SVG.KZYFUKVRT

Filesize
752KB

MD5
9419dba78734c3d7e8d5de48ce36e987

SHA1
acd9e09717dac5267971ebd37613a9f18f440f53

SHA256
52ca71b0c4747f14017cf9b405831d2622765008a9218c6eca648997e8aba20a

SHA512
5fcf7573a312694ebd0cc6eb18a742da252f3bdc53095fb5f6df9c4fd55bbf6d27ddd74f1460a1c073cac6e17bd4cfb5e60adf65b95d15b393ca3949348ca881

Download Submit
C:\USERS\ADMIN\DESKTOP\HIDEBLOCK.XLT.KZYFUKVRT

Filesize
937KB

MD5
93333c129a19f96d6944d3772d80f206

SHA1
e1e4607b292aed64847b0bf2ff889e1a91217e76

SHA256
7aa36c765e5ed1111a006768aac6cfc6f786b9106ad09715169d8fe234697171

SHA512
4256d57d0dbdd59709d970557b517b8975bd95f9cc4daefcdd466df4661416bfd3ec6e610cad181a5de9737cbedf066e956fa391edd317a107731669555df92f

Download Submit
C:\USERS\ADMIN\DESKTOP\PUBLISHCOMPLETE.RTF.KZYFUKVRT

Filesize
705KB

MD5
81bfbf20dd9b4e83575e6d8ab404188f

SHA1
6c2a426705d831dd34bf2b939da4e8800549dd53

SHA256
a014bb7a97ceb2a5306404cfd43ebf02bacc82d4a6aeb32b2e758c7616526d35

SHA512
beab545bd81893bcbae0d26aa29aff9f0420468b362c3969df9623598ad96d9ce685c881cd066e5a79afc3b02941e8f0c758a23b624c83469008ba23f56a36d4

Download Submit
C:\USERS\ADMIN\DESKTOP\README.HTML

Filesize
15KB

MD5
3db953d2006fd5460d5b8d05bc9a3a93

SHA1
3e9513562d759b8976a16daf2860c5b04d00608b

SHA256
81eb55b1c395cfba7105d53d9c4ca3434646f260b706190859e1d9669fba3d11

SHA512
dc72379c8f44980d3c26a5e308d58eaf82556eb5b0fb4885e4b8f4e5e7b6250e91a117ad97e380f0fdebd28ff13f2054bae358c954623e24092728fc59dc1b36

Download Submit
C:\USERS\ADMIN\DESKTOP\SEARCHUNINSTALL.ZIP.KZYFUKVRT

Filesize
821KB

MD5
8e0a9ed2082a31f6a17520dbc339e18e

SHA1
5277a99f17a2a39b7d7cf7dc13e97e19f9c14e83

SHA256
c88dd8fd47c185c1f5e79fce0045a5c1c2b74c8773b025a6e8b076b20c9f8149

SHA512
bac2ba2b1f6e81a3c0622477d0acd172c490ef371c93a5e7d7271f4b48e8facf02679b36cdc02852cbf9686f689fed372d79c5c9bd36ece03c2713cde49abf78

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDDISCONNECT.PPSM.KZYFUKVRT

Filesize
636KB

MD5
265c41f7a81c50bfde970c9534516a03

SHA1
ca734989113ec95917b05cfe2fe12522d547161c

SHA256
89128055a9660f7fc2ee3274cf45f69005c7ab926ebbb9d793c6da3d5e3348f3

SHA512
71e38e908ce1cd774e6d552cb2fef19f5894ea24b7ec575003c21355cdcc11af8f3a55fc4e7db0cdc2ef4a4933d62fab9221d76e5798159b3838148f16d589f2

Download Submit
C:\USERS\ADMIN\DESKTOP\SKIPJOIN.ODP.KZYFUKVRT

Filesize
590KB

MD5
5baf5f25058ef57289c2b644bf0c7151

SHA1
453de8230fb285b86b5d683b85e5346870c42ee6

SHA256
26d2466f69af77a9a713bdbc70709871d267b1a462212b90109c283a486fbf2e

SHA512
46d4eda77d96ad0579b7cca7d9d57a9b9d961878e71276decb07a89cb944d7c5ff589ec0c6a61f4e10daefcf28d2fb418b9cb500205646a20636822c788c6624

Download Submit
C:\USERS\ADMIN\DESKTOP\SKIPUNBLOCK.MPEG.KZYFUKVRT

Filesize
844KB

MD5
b0c7efefb2d6ae286600769343b7da43

SHA1
6eab2e79eb0e0627751c6bffca70f26842f4086a

SHA256
24326e6e4f367b1cdccec384903329b242f9c9c8c213d7f436dc81b7abdac3d0

SHA512
571899e7667d6f23520331dae0b0fa5f41f43000120b8d602125ab961af5f9c401ae92e2438f355fc5e3fe4d51c0977491c2dc0716f36eb1f2638b5a26e127e5

Download Submit
C:\USERS\ADMIN\DESKTOP\SYNCRESTORE.SVGZ.KZYFUKVRT

Filesize
659KB

MD5
43f066e8824dbedfdb355defc06c3a93

SHA1
03f7b955fb373687bbe031b2853e7183ca5ea02b

SHA256
d7a44825674ce2586c0d5c32274d9e4dd89daccdcc1367fe10c4e3a737c2db21

SHA512
ae34fc286b2b75781aec26661085e5d4aad9c0f90ea16a33280db7edef44d8658221a3f20635378912258f697c836cc06def4335f270f053ae5d75d0a6654b07

Download Submit
C:\USERS\ADMIN\DESKTOP\TESTADD.ODT.KZYFUKVRT

Filesize
520KB

MD5
1cf926bb8a116d54dae5e33cb2501a84

SHA1
c1da9329ac0d4de995489660ef4eae15e6c8ebfc

SHA256
791b81464a6618e13c1112e81ecfa64ce37404883f67726111240c338eac829b

SHA512
896f99914d231f22632c3191301ef93fbfc86ec45816dca83445b0ea02c7fab9a59df3082277228512d1993cf9ac21d2dbf20e4793fb6d33c8490460dc4ef0e5

Download Submit
C:\USERS\ADMIN\DESKTOP\UNPROTECTUPDATE.WMV.KZYFUKVRT

Filesize
405KB

MD5
7d262d827ad75741ace041a6b5701883

SHA1
195db5ac6cb0121d4a49fe01977a99e3a1c8cce9

SHA256
3bf7cb90170d933a133978a4ef3239786a9dd5539e48c5e1fa9a0ef470d055cb

SHA512
9b1e97dd201095017fe699a41a3a7728ca725e2aa130a123476528f1e965b0109aca2be17b2fff7fe0bb8a77d73294429db79d8a471312749fb03d751f2937b1

Download Submit
C:\USERS\ADMIN\DESKTOP\WRITERENAME.RAR.KZYFUKVRT

Filesize
543KB

MD5
e40b35a1ed7e24978a2228b1dbea2051

SHA1
18669cbcc89c1349f64c2e7bd10b846873689c93

SHA256
b3998c103239a1c7baecb9bb05a2d69dfdf854eca3d57fd355a9aff59867bf46

SHA512
49b7757df5cad5393efa5eb8924d144017f75f0257a45196527164f339d39090b25f4bbd5076b7dd37ea4a94d5bdbe8f499dc8514c2cc88603b0673f869ee76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1016B

MD5
0e4048ae343932ec4deecd5c28d41120

SHA1
d8cba17ad7c4a6c0b69b6e45291bdf64d83fa724

SHA256
d12b37982d443bb314d593362d052eba684b200eca1454a7d149d357efe27970

SHA512
bd7e2eaf99267bea7be01b6c3cac74e5a0c8337fcf0215c62cea4192f9b6bc0ede3a733d282750693b0c3c7cbb96b63614e12ad5928ceda17fe9c064dec411c9

Download Submit
C:\Users\Public\uvrjullp.gif

Filesize
853B

MD5
e1364886ae80ad259f572645fb45e98b

SHA1
132dc959681181e7ab6dd6909046f53c5e9f69ad

SHA256
000ae2cfe01b7e4c5b1e01ad1a4c0aa0b223f373a1fecf13b8d052d55f9401a5

SHA512
632735d26425c0efa2f6a172625173d0e7bbc2d0b589cf0cfb2a3872a298edac6627596792daf4b3199248bd4fb83ada21a25f738a01b492ed95d19aea40890b

Download Submit
C:\Users\Public\xyagozu.gif

Filesize
853B

MD5
e1364886ae80ad259f572645fb45e98b

SHA1
132dc959681181e7ab6dd6909046f53c5e9f69ad

SHA256
000ae2cfe01b7e4c5b1e01ad1a4c0aa0b223f373a1fecf13b8d052d55f9401a5

SHA512
632735d26425c0efa2f6a172625173d0e7bbc2d0b589cf0cfb2a3872a298edac6627596792daf4b3199248bd4fb83ada21a25f738a01b492ed95d19aea40890b

Download Submit
memory/116-195-0x00000231803C0000-0x00000231803E0000-memory.dmp

Filesize
128KB

Download
memory/116-194-0x0000023178940000-0x0000023178960000-memory.dmp

Filesize
128KB

Download
memory/116-193-0x0000023178E58000-0x0000023178E60000-memory.dmp

Filesize
32KB

Download
memory/116-192-0x0000023177C00000-0x0000023177D00000-memory.dmp

Filesize
1024KB

Download
memory/116-182-0x0000023178900000-0x0000023178920000-memory.dmp

Filesize
128KB

Download
memory/116-190-0x000002290000B000-0x000002290000E000-memory.dmp

Filesize
12KB

Download
memory/116-189-0x000002290000B000-0x000002290000E000-memory.dmp

Filesize
12KB

Download
memory/116-188-0x000002290000B000-0x000002290000E000-memory.dmp

Filesize
12KB

Download
memory/116-187-0x000002290000B000-0x000002290000E000-memory.dmp

Filesize
12KB

Download
memory/1776-151-0x0000000000000000-mapping.dmp

Download
memory/2300-135-0x0000022AB96F0000-0x0000022AB96FA000-memory.dmp

Filesize
40KB

Download
memory/3268-154-0x0000000000000000-mapping.dmp

Download
memory/3672-152-0x0000000000000000-mapping.dmp

Download
memory/4796-134-0x0000011BC9BE0000-0x0000011BCABE0000-memory.dmp

Filesize
16.0MB

Download
memory/4796-145-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4796-147-0x0000011BC9BE0000-0x0000011BCABE0000-memory.dmp

Filesize
16.0MB

Download
memory/4796-150-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4796-132-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4952-155-0x0000000000000000-mapping.dmp

Download