magniber | 5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SYSTEM.Security.Database.Upgrade.Win10.0_1.jse
Size

192KB
MD5

b40966619d66f80774ebf817c3316acc
SHA1

cdc90f17b5a54005993a4db61ac60e0b905f8416
SHA256

5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
SHA512

a489b19a01b66807e3cc5af17abdc679e72d34139b47f5face96ac68cf183f5d790d24adb065db9327dd82cde24532c3e193a716a5212df310f90eb7e241b88e
SSDEEP

6144:9a6398SbpjPvtKLqAMFHEbbz5ek3/Auyn5Ia:xnvkwdizUk3/Auynqa

Score

10^/10

magniber evasion persistence ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4264-134-0x000001F400000000-0x000001F401000000-memory.dmp	family_magniber
behavioral2/memory/2724-135-0x000001D0D0AA0000-0x000001D0D0AAB000-memory.dmp	family_magniber
behavioral2/memory/4264-147-0x000001F400000000-0x000001F401000000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4412	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4412	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4412	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4412	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	3848	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3848	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3848	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3848	wbadmin.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

4480 bcdedit.exe
5092 bcdedit.exe
2244 bcdedit.exe
3392 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

3256 wbadmin.exe
4264 wbadmin.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4756 wbadmin.exe
5116 wbadmin.exe

pid	process
4480	bcdedit.exe
5092	bcdedit.exe
2244	bcdedit.exe
3392	bcdedit.exe

pid	process
3256	wbadmin.exe
4264	wbadmin.exe

pid	process
4756	wbadmin.exe
5116	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DisableBlock.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\WriteResume.png => C:\Users\Admin\Pictures\WriteResume.png.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ReadRepair.raw => C:\Users\Admin\Pictures\ReadRepair.raw.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\BackupUnlock.tif => C:\Users\Admin\Pictures\BackupUnlock.tif.fhbrfuj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertSearch.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\ConvertSearch.tiff => C:\Users\Admin\Pictures\ConvertSearch.tiff.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\DisableBlock.tiff => C:\Users\Admin\Pictures\DisableBlock.tiff.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\InvokeSwitch.tif => C:\Users\Admin\Pictures\InvokeSwitch.tif.fhbrfuj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeSave.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\OptimizeSave.tiff => C:\Users\Admin\Pictures\OptimizeSave.tiff.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RestoreComplete.raw => C:\Users\Admin\Pictures\RestoreComplete.raw.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\SkipSend.crw => C:\Users\Admin\Pictures\SkipSend.crw.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\UndoSend.tif => C:\Users\Admin\Pictures\UndoSend.tif.fhbrfuj	sihost.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3816 3296 WerFault.exe DllHost.exe
4808 652 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
3816	3296	WerFault.exe	DllHost.exe
4808	652	WerFault.exe	Explorer.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exesvchost.exetaskhostw.exesvchost.exeRuntimeBroker.exeExplorer.EXEsihost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dfa7cbaa-1335-46fa- = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ef4158f4-5053-4d7b-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dfa7cbaa-1335-46fa- = b4b78b459fc8d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84090b8e-9244-4995-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b2399d-c22c-4103-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e8d7535-c597-4bbd- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e7d54a0-67f8-468d-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40- = 7dc86d459fc8d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0286241d-f698-467e- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000971b52469fc8d8019538d5469fc8d8019538d5469fc8d801729319000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55b4082000316235333462616533343232303364316330393764333262353565313837626432633935353939663962346236316162343335376464386166373039643335350000b20009000400efbe2f55b4082f55b4082e0000000000000000000000000000000000000000000000000078b10300310062003500330034006200610065003300340032003200300033006400310063003000390037006400330032006200350035006500310038003700620064003200630039003500350039003900660039006200340062003600310061006200340033003500370064006400380061006600370030003900640033003500350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006f5772211000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31623533346261653334323230336431633039376433326235356531383762643263393535393966396234623631616234333537646438616637303964333535000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2324cb509e929ed11a0eef63a18efecfd80c72b02b50e1340bd556b93270e57f2324cb509e929ed11a0eef63a18efecfdce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e8d7535-c597-4bbd-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b2399d-c22c-4103- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000610ae2459fc8d8018c1590469fc8d8018c1590469fc8d801ff360a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55b4082000633437383561343064353239653738333165376430396433376661373433356539363335383761353865626334613534353265333433323439313664303239630000b20009000400efbe2f55b4082f55b4082e000000000000000000000000000000000000000000000000004e142500630034003700380035006100340030006400350032003900650037003800330031006500370064003000390064003300370066006100370034003300350065003900360033003500380037006100350038006500620063003400610035003400350032006500330034003300320034003900310036006400300032003900630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006f5772211000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63343738356134306435323965373833316537643039643337666137343335653936333538376135386562633461353435326533343332343931366430323963000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2314cb509e929ed11a0eef63a18efecfd80c72b02b50e1340bd556b93270e57f2314cb509e929ed11a0eef63a18efecfdce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ahiuqjk.wmv"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ef4158f4-5053-4d7b- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\822d2118fa80d9266e345d5c1af1a535ce9802942757da45efee0181c0a7fdd2"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\49585fbb-8add-4002- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000088988e459fc8d80188988e459fc8d80188988e459fc8d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55b4082000316235333462616533343232303364316330393764333262353565313837626432633935353939663962346236316162343335376464386166373039643335350000b20009000400efbe2f55b4082f55b4082e0000000000000000000000000000000000000000000000000078b10300310062003500330034006200610065003300340032003200300033006400310063003000390037006400330032006200350035006500310038003700620064003200630039003500350039003900660039006200340062003600310061006200340033003500370064006400380061006600370030003900640033003500350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006f5772211000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31623533346261653334323230336431633039376433326235356531383762643263393535393966396234623631616234333537646438616637303964333535000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f22b4cb509e929ed11a0eef63a18efecfd80c72b02b50e1340bd556b93270e57f22b4cb509e929ed11a0eef63a18efecfdce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dfa7cbaa-1335-46fa-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e6f5212-f106-40e2- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d68f1e459fc8d801d68f1e459fc8d801d68f1e459fc8d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55b4082000383037313964386232353062343330643566613034333136346362616638653063383064343439336431633934323734313731363231353932626463653038330000b20009000400efbe2f55b4082f55b4082e000000000000000000000000000000000000000000000000002aba7300380030003700310039006400380062003200350030006200340033003000640035006600610030003400330031003600340063006200610066003800650030006300380030006400340034003900330064003100630039003400320037003400310037003100360032003100350039003200620064006300650030003800330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006f5772211000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38303731396438623235306234333064356661303433313634636261663865306338306434343933643163393432373431373136323135393262646365303833000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2264cb509e929ed11a0eef63a18efecfd80c72b02b50e1340bd556b93270e57f2264cb509e929ed11a0eef63a18efecfdce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\49585fbb-8add-4002- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1b534bae342203d1c097d32b55e187bd2c95599f9b4b61ab4357dd8af709d355"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dfa7cbaa-1335-46fa-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ohrmwvkea.wmv"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e8c9e5d7-6263-4768-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9531ac91de1830441f396b99b4941050b542e9771d1dcab1c8465ca7e57205d0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57a9f3c0-7619-4d40- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d38b5c459fc8d801d38b5c459fc8d801d38b5c459fc8d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55b4082000393533316163393164653138333034343166333936623939623439343130353062353432653937373164316463616231633834363563613765353732303564300000b20009000400efbe2f55b4082f55b4082e000000000000000000000000000000000000000000000000002dbe3500390035003300310061006300390031006400650031003800330030003400340031006600330039003600620039003900620034003900340031003000350030006200350034003200650039003700370031006400310064006300610062003100630038003400360035006300610037006500350037003200300035006400300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006f5772211000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39353331616339316465313833303434316633393662393962343934313035306235343265393737316431646361623163383436356361376535373230356430000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2284cb509e929ed11a0eef63a18efecfd80c72b02b50e1340bd556b93270e57f2284cb509e929ed11a0eef63a18efecfdce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dfa7cbaa-1335-46fa-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ckeqcpyhnt.wmv"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ef4158f4-5053-4d7b-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ef4158f4-5053-4d7b- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/nmyskzkqinqe.wmv"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e8d7535-c597-4bbd- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e6f5212-f106-40e2- = d8bd30459fc8d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ef4158f4-5053-4d7b-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ef4158f4-5053-4d7b- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001a8b3d459fc8d8011a8b3d459fc8d8011a8b3d459fc8d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55b4082000383232643231313866613830643932363665333435643563316166316135333563653938303239343237353764613435656665653031383163306137666464320000b20009000400efbe2f55b4082f55b4082e00000000000000000000000000000000000000000000000000e6be5400380032003200640032003100310038006600610038003000640039003200360036006500330034003500640035006300310061006600310061003500330035006300650039003800300032003900340032003700350037006400610034003500650066006500650030003100380031006300300061003700660064006400320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006f5772211000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38323264323131386661383064393236366533343564356331616631613533356365393830323934323735376461343565666565303138316330613766646432000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2274cb509e929ed11a0eef63a18efecfd80c72b02b50e1340bd556b93270e57f2274cb509e929ed11a0eef63a18efecfdce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e8d7535-c597-4bbd- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c4785a40d529e7831e7d09d37fa7435e963587a58ebc4a5452e34324916d029c"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e8d7535-c597-4bbd- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b2356d459fc8d801b2356d459fc8d801b2356d459fc8d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55b4082000633437383561343064353239653738333165376430396433376661373433356539363335383761353865626334613534353265333433323439313664303239630000b20009000400efbe2f55b4082f55b4082e000000000000000000000000000000000000000000000000004e142500630034003700380035006100340030006400350032003900650037003800330031006500370064003000390064003300370066006100370034003300350065003900360033003500380037006100350038006500620063003400610035003400350032006500330034003300320034003900310036006400300032003900630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006f5772211000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63343738356134306435323965373833316537643039643337666137343335653936333538376135386562633461353435326533343332343931366430323963000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2294cb509e929ed11a0eef63a18efecfd80c72b02b50e1340bd556b93270e57f2294cb509e929ed11a0eef63a18efecfdce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e6f5212-f106-40e2-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e6f5212-f106-40e2- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84090b8e-9244-4995- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\85b2399d-c22c-4103-	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84090b8e-9244-4995- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9ae0b3b378441f61d6978a0b567d89f6f413414898fa0a87d2adcc39cabbf2a8"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bda05adb-08d1-4abc-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bda05adb-08d1-4abc- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/qwgngrydqx.wmv"	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid process

4264 WScript.exe
4264 WScript.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

652 Explorer.EXE

pid	process
4264	WScript.exe
4264	WScript.exe

pid	process
652	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeBackupPrivilege	4536	vssvc.exe
Token: SeRestorePrivilege	4536	vssvc.exe
Token: SeAuditPrivilege	4536	vssvc.exe
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeBackupPrivilege	4860	wbengine.exe
Token: SeRestorePrivilege	4860	wbengine.exe
Token: SeSecurityPrivilege	4860	wbengine.exe
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeCreatePagefilePrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	4816	explorer.exe
Token: SeCreatePagefilePrivilege	4816	explorer.exe
Token: SeShutdownPrivilege	4816	explorer.exe
Token: SeCreatePagefilePrivilege	4816	explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WScript.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	process	target process
PID 4264 wrote to memory of 2724	4264	WScript.exe	sihost.exe
PID 4264 wrote to memory of 2824	4264	WScript.exe	svchost.exe
PID 4264 wrote to memory of 2888	4264	WScript.exe	taskhostw.exe
PID 4264 wrote to memory of 652	4264	WScript.exe	Explorer.EXE
PID 4264 wrote to memory of 3088	4264	WScript.exe	svchost.exe
PID 4264 wrote to memory of 3296	4264	WScript.exe	DllHost.exe
PID 4264 wrote to memory of 3384	4264	WScript.exe	StartMenuExperienceHost.exe
PID 4264 wrote to memory of 3444	4264	WScript.exe	RuntimeBroker.exe
PID 4264 wrote to memory of 3544	4264	WScript.exe	SearchApp.exe
PID 4264 wrote to memory of 3680	4264	WScript.exe	RuntimeBroker.exe
PID 4264 wrote to memory of 4612	4264	WScript.exe	RuntimeBroker.exe
PID 4264 wrote to memory of 4156	4264	WScript.exe	backgroundTaskHost.exe
PID 4264 wrote to memory of 3104	4264	WScript.exe	backgroundTaskHost.exe
PID 4264 wrote to memory of 4256	4264	WScript.exe	RuntimeBroker.exe
PID 3936 wrote to memory of 3660	3936	cmd.exe	fodhelper.exe
PID 3936 wrote to memory of 3660	3936	cmd.exe	fodhelper.exe
PID 3660 wrote to memory of 3260	3660	fodhelper.exe	wscript.exe
PID 3660 wrote to memory of 3260	3660	fodhelper.exe	wscript.exe
PID 3524 wrote to memory of 4600	3524	cmd.exe	fodhelper.exe
PID 3524 wrote to memory of 4600	3524	cmd.exe	fodhelper.exe
PID 4600 wrote to memory of 4456	4600	fodhelper.exe	wscript.exe
PID 4600 wrote to memory of 4456	4600	fodhelper.exe	wscript.exe
PID 3188 wrote to memory of 1180	3188	cmd.exe	fodhelper.exe
PID 3188 wrote to memory of 1180	3188	cmd.exe	fodhelper.exe
PID 1180 wrote to memory of 4156	1180	fodhelper.exe	wscript.exe
PID 1180 wrote to memory of 4156	1180	fodhelper.exe	wscript.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3104

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4156

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3680
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/ahiuqjk.wmv
      4⤵
      PID:3260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3296 -s 984
  2⤵
  - Program crash
  PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3088
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/cyjrayyxp.wmv
      4⤵
      PID:4456

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:652
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Security.Database.Upgrade.Win10.0_1.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4264
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rjodnuke.wmv
      4⤵
      PID:4156
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 652 -s 6084
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2824

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3296 -ip 3296
1⤵
PID:3732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4480

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5092

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4756

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2056

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2244

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3392

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:5116

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:4264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 652 -ip 652
1⤵
PID:3144

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\DESKTOP\COMPAREINSTALL.POTX.FHBRFUJ

Filesize
355KB

MD5
2d1b1a647aaf08bd3ff5951bd17f525c

SHA1
cfdf5d2699befe0983f94ac1b252190702bfec14

SHA256
3375862b77c49ac43356d46962e9236696c88e4e601551ca28b99b3510b78eeb

SHA512
986f1484c9515f64ecd78afb8c6f18ccbdfc94a02c1fd1ed9c08c0087ae3037dcf3d20e3e671688a618b81e1a813afbf6f32b05b80d7570ec3f5817effc44106

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPLETEFORMAT.MPG.FHBRFUJ

Filesize
777KB

MD5
0d847061aa6272af7a4ca45a46e9a3f3

SHA1
b1e97356f5b63c6d061879c6291ff35071953743

SHA256
2cadc43ef65a8ae7e7837feed0c6dc89ce16d0b914d3de2159d7e33797abca1f

SHA512
4082e668b83e50d1cd04b60f5452ec6ad71f031c26d5d6b252467b312d557780042978c9a302389a5fcc349e271781fed254a34345eccd40a683e2947085003b

Download Submit
C:\USERS\ADMIN\DESKTOP\CONFIRMSHOW.VSDX.FHBRFUJ

Filesize
821KB

MD5
2b4a6827bb43ead4a2af60938da49c3b

SHA1
fab98e55292cf28155cd90c10659d2df5da7586d

SHA256
868783f5a76a9428fbdfdac4bcbd532d035fa1651d2af809fd016c7a00c649c3

SHA512
2509eed76882cce2aceddd16b6b219f5e28aa13f1f22e1152f3338d105b84c9519beda16034e2ad2f5673d5773853f9a959e9f7a188dbb70e707c4419528c5f6

Download Submit
C:\USERS\ADMIN\DESKTOP\CONNECTOPEN.JTX.FHBRFUJ

Filesize
844KB

MD5
49bc92b5ffe9e4fbf82671c2d1301174

SHA1
df23099780420340af3532d9de737897640b9919

SHA256
12be6f761df1eac7b5f525f02b4ebc69ee6b3c991dc3c205ab44182bffbf6a04

SHA512
681ca19a84f16800232da1bf08f2542f437e621c7839eff5c99475f91fcb445e61000acc7e5c61ee93d8455cfbef74a203455e6d0e1f8807966930cdd2c672ae

Download Submit
C:\USERS\ADMIN\DESKTOP\ENTERSAVE.XLTM.FHBRFUJ

Filesize
444KB

MD5
7eac94922032604ed42840941e7f10c5

SHA1
4828b375025d3f2eafe09a07eeccc45853713fa7

SHA256
b72f73f5a119441e15787ed35540aa0072a3d5ed65b0d05bbe7b72c90df4440e

SHA512
f88532e4b42f3df57d270148f40ff6edfa86d6eac521e4ac5753a1362d3538c76eac2230b2debfa26dda3ba9906440faa8529fde3b19369804d3605fbd4dfe50

Download Submit
C:\USERS\ADMIN\DESKTOP\EXPANDAPPROVE.CSV.FHBRFUJ

Filesize
688KB

MD5
7f476235376a14eb516300e51d310bae

SHA1
11b4266a3d061472b0bc82996edb3472ab9e518b

SHA256
62e8c53f994147347757ebcc6159727c23e315c087e25e49e59d27455507ddfa

SHA512
b565c24dd4356372ff3578374e47221d553f48f0c57e2e52427e2feceb100df2ce41e3fdf74afcd6e8af04c8d35b016225e1384ba9174ff8429335a5961f7c3c

Download Submit
C:\USERS\ADMIN\DESKTOP\GETWAIT.VBS.FHBRFUJ

Filesize
710KB

MD5
3b645b0013675e3ef110bbfa3ce1ea43

SHA1
7dae4159cd30988cf4709be202d519b140239ce2

SHA256
c0b29301b8a43d06a4a160fa1993cd71d924230b7891d06313df471eaea7f1ad

SHA512
685821657a6bcf879c2fc3f1f4882c44f7d142f9e12c2b7c6d2a79a56be9b6766a463b5b3f50e50cfc071eab4d4d3e95097ecc1c65e3ea18798df5c00a8af311

Download Submit
C:\USERS\ADMIN\DESKTOP\GRANTMERGE.WMV.FHBRFUJ

Filesize
577KB

MD5
e53b3f34947face3c526b79e286ba53b

SHA1
339c32dbe94cd7f5d9ea6675242187431655b48a

SHA256
667491eae479f00bd31022ff4077c639cee9624e4632d9f7c23b542b55ea23c4

SHA512
7404b24e247ef51e43c48abd4738f49d57cde4dc73add92b4ab18bf328c87925eaea04f5a378726e5dbf7e5e46762fa410820509289c82fcea70974d15e8e39f

Download Submit
C:\USERS\ADMIN\DESKTOP\MEASURELIMIT.POTX.FHBRFUJ

Filesize
488KB

MD5
fa1b3ec6049a2f010ecb03e248eb79f5

SHA1
a70c67a5472e1bad99cb4d19c286685da1b40bc7

SHA256
c3c3044a6782e528beafe526a1d06b1794555a5b3f86cf96f610edf15ad1b877

SHA512
866b812cd16215231860a28c3cbe306e7431022b6dcef3ab319a3018c7f7168ead65760409948d79e40e923fa1d76e7ee4b57abd176e25146b7349839584182a

Download Submit
C:\USERS\ADMIN\DESKTOP\MOUNTADD.GIF.FHBRFUJ

Filesize
599KB

MD5
4f40680337ae8ac333b32f84f70b81e6

SHA1
502fb593bf8bf146fbea425e02e6efa697267508

SHA256
6837a67c83ca68470709a9b507abe1b213cd3441c9cb2f70553d304f2b64e2a4

SHA512
febbdf88ff3bf273b5ddacef6933683ca39cf02d1218eb5836369e32dca3bf08fab918badf7ceec2c0ce6765a8830ce2f2f980aeebe2a9265921486b5a9f3c21

Download Submit
C:\USERS\ADMIN\DESKTOP\README.HTML

Filesize
18KB

MD5
29c6e2614191fd3af9cf9559d1c89797

SHA1
06278f98607df7451aee6bc4a282d5680f120506

SHA256
44068de5c57bdf9feb4de64243ce213bfc68e3bdfe58514ae525d0e158a61bc0

SHA512
7c46968a05050f74f540fae48084867b50b4a879fea957dba482247e39ed2481c3e228e992bf005f3cc11e7926d4f22f2773f81d3154fd7214946a79a6634fa3

Download Submit
C:\USERS\ADMIN\DESKTOP\RECEIVECONNECT.XLSB.FHBRFUJ

Filesize
311KB

MD5
c6b952057c3e16456a92ca9bf7507e74

SHA1
c0b27909c72247b8f82fc20b6625ab49bbd25c9a

SHA256
f8c16f8fd225e24c1fa723ef4350e7bd418156f1231fad4dbcbd6b07484d6899

SHA512
025b5270eb7ce9c67e20bbfce557c4a665e7d30674aa438963d21dcd4352ca8c10e1ddd7b3a5fe43b4e050413f162df850a6c2734502a379f656ce6f832cb192

Download Submit
C:\USERS\ADMIN\DESKTOP\REMOVEUNREGISTER.DOTM.FHBRFUJ

Filesize
333KB

MD5
d0b407fca831c187ea3924cc4726eb39

SHA1
68b5e1c66268e7369f6077802dc60191677c5bf8

SHA256
0e71d22da6319130f7cc62753759dff4ff53b4421b0e8b116ac402c3818d7b25

SHA512
00c1375b5218afa58c752bfdb0a5e12326bd2de7907a91fc37af61c9a782dcbbc71dfecfa121e76783885b51a9dc7c2a987a45b79d70882b48247cae39843b2f

Download Submit
C:\USERS\ADMIN\DESKTOP\REQUESTCONNECT.ISO.FHBRFUJ

Filesize
666KB

MD5
be9421bf3528c78b2e5f4e46e7ec1bb7

SHA1
c49c23e9e82e252f362eb43be4e89b050434ff86

SHA256
3d4574474ef9cab3fae190d3c9b4ac152a7cfee9a58d14f716bc16c04b0e9889

SHA512
01d38cd7aa08b68778aceadb77f7998c6fbbd4cc0f1b500167a95ccb831015d90950b1961cc8102d360f0a015bfa47d5c7c150e689ddebbca23afa2521eb6eb9

Download Submit
C:\USERS\ADMIN\DESKTOP\RESUMEMEASURE.EMF.FHBRFUJ

Filesize
621KB

MD5
8bd64f5f2acef9d3a25ee7ca4b300093

SHA1
c0cc0be4456634b6dfdc8e51d568789f9d23de36

SHA256
b1106b6c3fba735e0eedec7d27d89906eea71f0ccce3cc912b8b874970a1b4f0

SHA512
efee81c81c94a6f7b206bee54c4975e3f6cda48a30c29ffda8207c3c79698877ee2e835c8d1239144fe8ac5726ac7c0444030a87c5a627a3a9846a6f6a67c87f

Download Submit
C:\USERS\ADMIN\DESKTOP\REVOKEIMPORT.PPSX.FHBRFUJ

Filesize
866KB

MD5
f349136285a58fd9693467ee3272fc4f

SHA1
92ec21d8a005dc15d786e5b2a36faaf25c33f106

SHA256
dd51e2b2f1b58163052fb561364aff82484a0d6fd6877d93d2d3a55365add4c8

SHA512
8befd54cc00d0266c2bb1fe7583eb8f0500249a72bfab1b8631a6d69843807e98eea8040da5d7c9a0adc0b1ff4701f96677b878b96535c1fbe96f0b2d373461f

Download Submit
C:\USERS\ADMIN\DESKTOP\SETMOUNT.DIB.FHBRFUJ

Filesize
644KB

MD5
414e08833b7cc924e05618f8fd0db5a0

SHA1
422bf1d41fa37a16d7af2fb218e57cb9b1d14808

SHA256
f405d1505ad174efa8282099c497c20ed4e6aac219147acf791b022fb52d65b4

SHA512
98062698cc627d5108273aa49a8d5fbfc0b04bbaffe9dcdcc72e0356bbeee823172d6ade43281638425cd2c4e5457527ef72f1e4c0a6080098f859f2db8c0705

Download Submit
C:\USERS\ADMIN\DESKTOP\TESTASSERT.VSDX.FHBRFUJ

Filesize
533KB

MD5
70ac5dafb488f16bbc88ce81148b08fe

SHA1
3e292f24725a234ef4b5ce70a331f903d4949e42

SHA256
f2d509efe89911dcdc099150fa472f0424e3d2d42c9aea52321cd11bf62e6dfa

SHA512
022a5bf9004654ca2b0cd5b98b10b3cf0bf8e071f82736b0a78e7f83c3310637c10d85597fa9dafaf05653c36d4eacba42a761232da7d3a4232a938a6288ec0b

Download Submit
C:\USERS\ADMIN\DESKTOP\TRACESYNC.RAR.FHBRFUJ

Filesize
888KB

MD5
d8c9204a67825ef84f8553284f2be3a3

SHA1
b3b6cdb4385dad0f72e9b2ebcd7d9d6ddddab783

SHA256
d4d0b3b6a17f21ef42c8655781219043df6d43845541298f416aec11d6afc5d8

SHA512
8ef63a6a0dac8eb09447e0102b4a761f067d8165e72cf594890c75abe9dd4318f01286b56da2ed004e182827286bde128905c7b86cd8d74078891abcee48a7c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1016B

MD5
0e4048ae343932ec4deecd5c28d41120

SHA1
d8cba17ad7c4a6c0b69b6e45291bdf64d83fa724

SHA256
d12b37982d443bb314d593362d052eba684b200eca1454a7d149d357efe27970

SHA512
bd7e2eaf99267bea7be01b6c3cac74e5a0c8337fcf0215c62cea4192f9b6bc0ede3a733d282750693b0c3c7cbb96b63614e12ad5928ceda17fe9c064dec411c9

Download Submit
C:\Users\Public\ahiuqjk.wmv

Filesize
868B

MD5
581973cdfb4720018293584fa82b6973

SHA1
a280dec72dff08d9448d866e6e3011241c5794bc

SHA256
1972fe56babf7575426b0690a118c342ef8cff2e463b16a8cf3071c3229d510b

SHA512
6e115f41e19dc2e90d8800fb3089f4b83d048c41c25e994b8c23c409bb30eede25bf208d61315574253002a287abef3dd876c9673d6ff928a70f46608ab8fd80

Download Submit
C:\Users\Public\rjodnuke.wmv

Filesize
868B

MD5
581973cdfb4720018293584fa82b6973

SHA1
a280dec72dff08d9448d866e6e3011241c5794bc

SHA256
1972fe56babf7575426b0690a118c342ef8cff2e463b16a8cf3071c3229d510b

SHA512
6e115f41e19dc2e90d8800fb3089f4b83d048c41c25e994b8c23c409bb30eede25bf208d61315574253002a287abef3dd876c9673d6ff928a70f46608ab8fd80

Download Submit
memory/1180-156-0x0000000000000000-mapping.dmp

Download
memory/2724-135-0x000001D0D0AA0000-0x000001D0D0AAB000-memory.dmp

Filesize
44KB

Download
memory/3260-152-0x0000000000000000-mapping.dmp

Download
memory/3660-151-0x0000000000000000-mapping.dmp

Download
memory/4156-157-0x0000000000000000-mapping.dmp

Download
memory/4264-132-0x00007FF8F8FD0000-0x00007FF8F9A91000-memory.dmp

Filesize
10.8MB

Download
memory/4264-150-0x00007FF8F8FD0000-0x00007FF8F9A91000-memory.dmp

Filesize
10.8MB

Download
memory/4264-147-0x000001F400000000-0x000001F401000000-memory.dmp

Filesize
16.0MB

Download
memory/4264-146-0x00007FF8F8FD0000-0x00007FF8F9A91000-memory.dmp

Filesize
10.8MB

Download
memory/4264-134-0x000001F400000000-0x000001F401000000-memory.dmp

Filesize
16.0MB

Download
memory/4456-155-0x0000000000000000-mapping.dmp

Download
memory/4600-154-0x0000000000000000-mapping.dmp

Download