gozi | 3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe
Size

586KB
MD5

69fb0b7092d4f247ac065abc6b06042b
SHA1

8d8d9b846e2f4624063806291c5875953d67457c
SHA256

3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b
SHA512

4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78
SSDEEP

12288:osiOZO5I+h2gOoIMUUtN5y1iyqTU/zWjdp9fs:+eO5I22lMUUEiyqM+dp9f

Score

10^/10

gozi 1100 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1100

cyajon.at/krp3cmg

outaplaceshave.cn/krp3cmg

nozakin.at/krp3cmg

hothegivforsuffer.cn/krp3cmg

austrinok.at/krp3cmg

comerail.su/krp3cmg

ambieko.at/krp3cmg

justiceseasfriends.cn/krp3cmg

semitrol.at/krp3cmg

goinumder.su/krp3cmg

arexan.at/krp3cmg

trepeatedandequal.cn/krp3cmg

golovor.at/krp3cmg

therepalon.su/krp3cmg

creatortherefore.cn/krp3cmg

Attributes

build
214798
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
exe_type
worker
server_id
110

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

biwilg32.exe

pid process

3428 biwilg32.exe
Executes dropped EXE 1 IoCs

Processes:

biwilg32.exe

pid process

3428 biwilg32.exe

pid	process
3428	biwilg32.exe

pid	process
3428	biwilg32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\accetenc = "C:\\Users\\Admin\\AppData\\Roaming\\AcLapobj\\biwilg32.exe"	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

biwilg32.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 3428 set thread context of 4984	3428	biwilg32.exe	svchost.exe
PID 4984 set thread context of 3444	4984	svchost.exe	Explorer.EXE
PID 3444 set thread context of 3904	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 set thread context of 4204	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 set thread context of 2364	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 set thread context of 6080	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 set thread context of 3364	3444	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exebiwilg32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	biwilg32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	biwilg32.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000062e92189d7acda0162e92189d7acda0162e92189d7acda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b758f8302000343862633762303665613833323263643661663831643661343530386633333733623962386238313362633939386436613232346365616265313363396639610000b20009000400efbeb758f830b758f8302e000000000000000000000000000000000000000000000000009ea80700340038006200630037006200300036006500610038003300320032006300640036006100660038003100640036006100340035003000380066003300330037003300620039006200380062003800310033006200630039003900380064003600610032003200340063006500610062006500310033006300390066003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005bfc103d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34386263376230366561383332326364366166383164366134353038663333373362396238623831336263393938643661323234636561626531336339663961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ec8a5068942f0def11a084fa71c8f1560d72e9330fb5301f4a9e010962a32a67ec8a5068942f0def11a084fa71c8f1560dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d4e3799-65b2-4f4c-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70c2df17-516e-487a-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06e716ad-915c-45c1-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d4e3799-65b2-4f4c- = 548fbf89d7acda01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d578c131-2be5-44cf- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d578c131-2be5-44cf- = 9847ce89d7acda01	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06e716ad-915c-45c1-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06e716ad-915c-45c1- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000764b2489d7acda01764b2489d7acda01764b2489d7acda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b758f8302000333363396564306239613731316532633437666630303031613438653531393130663063316430363730366534346365663861306631383439323332373530610000b20009000400efbeb758f830b758f8302e000000000000000000000000000000000000000000000000008a460500330033006300390065006400300062003900610037003100310065003200630034003700660066003000300030003100610034003800650035003100390031003000660030006300310064003000360037003000360065003400340063006500660038006100300066003100380034003900320033003200370035003000610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005bfc103d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33336339656430623961373131653263343766663030303161343865353139313066306331643036373036653434636566386130663138343932333237353061000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ec8b5068942f0def11a084fa71c8f1560d72e9330fb5301f4a9e010962a32a67ec8b5068942f0def11a084fa71c8f1560dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002e102989d7acda012e102989d7acda012e102989d7acda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b758f8302000646534353931356234616636306137363266306232353931643532393532383765643739383162643237323465343737383034643933373031393131623039610000b20009000400efbeb758f830b758f8302e00000000000000000000000000000000000000000000000000d2810000640065003400350039003100350062003400610066003600300061003700360032006600300062003200350039003100640035003200390035003200380037006500640037003900380031006200640032003700320034006500340037003700380030003400640039003300370030003100390031003100620030003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005bfc103d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64653435393135623461663630613736326630623235393164353239353238376564373938316264323732346534373738303464393337303139313162303961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ec8c5068942f0def11a084fa71c8f1560d72e9330fb5301f4a9e010962a32a67ec8c5068942f0def11a084fa71c8f1560dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d4e3799-65b2-4f4c- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000010233c89d7acda019f0aa589d7acda019f0aa589d7acda01e27c09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b758f8302000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbeb758f830b758f8302e0000000000000000000000000000000000000000000000000089cf0e00370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005bfc103d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ec8e5068942f0def11a084fa71c8f1560d72e9330fb5301f4a9e010962a32a67ec8e5068942f0def11a084fa71c8f1560dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\de45915b4af60a762f0b2591d5295287ed7981bd2724e477804d93701911b09a"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65b3e961-b81f-47a5- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06e716ad-915c-45c1- = 0d832089d7acda01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d578c131-2be5-44cf-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65b3e961-b81f-47a5-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65b3e961-b81f-47a5- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\de45915b4af60a762f0b2591d5295287ed7981bd2724e477804d93701911b09a"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d4e3799-65b2-4f4c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d4e3799-65b2-4f4c- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70c2df17-516e-487a-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06e716ad-915c-45c1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65b3e961-b81f-47a5- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d578c131-2be5-44cf-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70c2df17-516e-487a- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06e716ad-915c-45c1- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d- = 98f22489d7acda01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\33c9ed0b9a711e2c47ff0001a48e51910f0c1d06706e44cef8a0f1849232750a"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70c2df17-516e-487a- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\33c9ed0b9a711e2c47ff0001a48e51910f0c1d06706e44cef8a0f1849232750a"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65b3e961-b81f-47a5-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70c2df17-516e-487a- = f36fe889d7acda01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5- = 3dc82c89d7acda01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65b3e961-b81f-47a5- = 3f88e489d7acda01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\70c2df17-516e-487a- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000047bd7789d7acda01487ed989d7acda01487ed989d7acda01ed9209000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b758f8302000333363396564306239613731316532633437666630303031613438653531393130663063316430363730366534346365663861306631383439323332373530610000b20009000400efbeb758f830b758f8302e000000000000000000000000000000000000000000000000008a460500330033006300390065006400300062003900610037003100310065003200630034003700660066003000300030003100610034003800650035003100390031003000660030006300310064003000360037003000360065003400340063006500660038006100300066003100380034003900320033003200370035003000610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000005bfc103d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33336339656430623961373131653263343766663030303161343865353139313066306331643036373036653434636566386130663138343932333237353061000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ec915068942f0def11a084fa71c8f1560d72e9330fb5301f4a9e010962a32a67ec915068942f0def11a084fa71c8f1560dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d578c131-2be5-44cf- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5aefa2bd-305c-4416- = ca622989d7acda01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65b3e961-b81f-47a5- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06e716ad-915c-45c1-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5b906cec-6297-4b5d- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5bc7920d-e31b-4ae5-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d4e3799-65b2-4f4c-	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

biwilg32.exeExplorer.EXE

pid process

3428 biwilg32.exe
3428 biwilg32.exe
3444 Explorer.EXE
3444 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

biwilg32.exesvchost.exeExplorer.EXE

pid process

3428 biwilg32.exe
4984 svchost.exe
3444 Explorer.EXE
3444 Explorer.EXE
3444 Explorer.EXE
3444 Explorer.EXE
3444 Explorer.EXE

pid	process
3428	biwilg32.exe
3428	biwilg32.exe
3444	Explorer.EXE
3444	Explorer.EXE

pid	process
3428	biwilg32.exe
4984	svchost.exe
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeShutdownPrivilege	3904	RuntimeBroker.exe
Token: SeShutdownPrivilege	3904	RuntimeBroker.exe
Token: SeShutdownPrivilege	3904	RuntimeBroker.exe
Token: SeShutdownPrivilege	3904	RuntimeBroker.exe
Token: SeShutdownPrivilege	3904	RuntimeBroker.exe
Token: SeShutdownPrivilege	3904	RuntimeBroker.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3444 Explorer.EXE

pid	process
3444	Explorer.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.execmd.execmd.exebiwilg32.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 2300 wrote to memory of 4684	2300	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe	cmd.exe
PID 2300 wrote to memory of 4684	2300	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe	cmd.exe
PID 2300 wrote to memory of 4684	2300	69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe	cmd.exe
PID 4684 wrote to memory of 5560	4684	cmd.exe	cmd.exe
PID 4684 wrote to memory of 5560	4684	cmd.exe	cmd.exe
PID 4684 wrote to memory of 5560	4684	cmd.exe	cmd.exe
PID 5560 wrote to memory of 3428	5560	cmd.exe	biwilg32.exe
PID 5560 wrote to memory of 3428	5560	cmd.exe	biwilg32.exe
PID 5560 wrote to memory of 3428	5560	cmd.exe	biwilg32.exe
PID 3428 wrote to memory of 4984	3428	biwilg32.exe	svchost.exe
PID 3428 wrote to memory of 4984	3428	biwilg32.exe	svchost.exe
PID 3428 wrote to memory of 4984	3428	biwilg32.exe	svchost.exe
PID 3428 wrote to memory of 4984	3428	biwilg32.exe	svchost.exe
PID 3428 wrote to memory of 4984	3428	biwilg32.exe	svchost.exe
PID 4984 wrote to memory of 3444	4984	svchost.exe	Explorer.EXE
PID 4984 wrote to memory of 3444	4984	svchost.exe	Explorer.EXE
PID 4984 wrote to memory of 3444	4984	svchost.exe	Explorer.EXE
PID 3444 wrote to memory of 3904	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 3904	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 3904	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 4204	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 4204	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 4204	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 2364	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 2364	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 2364	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 6080	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 6080	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 6080	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 3364	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 3364	3444	Explorer.EXE	RuntimeBroker.exe
PID 3444 wrote to memory of 3364	3444	Explorer.EXE	RuntimeBroker.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69fb0b7092d4f247ac065abc6b06042b_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96E0\4B70.bat" "C:\Users\Admin\AppData\Roaming\AcLapobj\biwilg32.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\AcLapobj\biwilg32.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:5560

C:\Users\Admin\AppData\Roaming\AcLapobj\biwilg32.exe
"C:\Users\Admin\AppData\Roaming\AcLapobj\biwilg32.exe" "C:\Users\Admin\AppData\Local\Temp\69FB0B~1.EXE"
5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x508
1⤵
PID:4376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:6080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\96E0\4B70.bat
Filesize
112B

MD5
aa819d7623b5445d31da86b33c2ea92e

SHA1
4df78eb33e91aa6c747ac1933ae116da666068d8

SHA256
39b99dca9153f97539ca4ac9a89de0d015facae663ca6e010d442c02d63c775a

SHA512
fd301f43fb43e4e57a5ff255da9bd746cac1293aa5464f1d76d4eb85888e7792e8c3867257a0b4dd64f93aa8e73ef7790008bd8c557039fea45109cfc9a3d34f

Download Submit
C:\Users\Admin\AppData\Roaming\AcLapobj\biwilg32.exe
Filesize
586KB

MD5
69fb0b7092d4f247ac065abc6b06042b

SHA1
8d8d9b846e2f4624063806291c5875953d67457c

SHA256
3eec66b77b94ef402c0b11c496df2f27867d0406dc59540d0bfaff4b271ecc2b

SHA512
4f06d42fed4c033b1d835f0b7fc79450a8432c1168f4232d5534f26ec9bc07f5ed6df0a33736f41849b37be3279d23b0fa2b77dfb68ab92caaab9d3ec33a6b78

Download Submit
memory/2300-4-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2300-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2300-2-0x0000000002A70000-0x0000000002AC4000-memory.dmp

Filesize
336KB

Download
memory/2300-0-0x0000000002A70000-0x0000000002AC4000-memory.dmp

Filesize
336KB

Download
memory/2300-1-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2364-41-0x0000024BC25D0000-0x0000024BC2659000-memory.dmp

Filesize
548KB

Download
memory/2364-45-0x0000024BC25D0000-0x0000024BC2659000-memory.dmp

Filesize
548KB

Download
memory/3364-59-0x0000026DE7F40000-0x0000026DE7FC9000-memory.dmp

Filesize
548KB

Download
memory/3364-51-0x0000026DE7F40000-0x0000026DE7FC9000-memory.dmp

Filesize
548KB

Download
memory/3428-14-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3428-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3444-53-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-60-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-65-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-64-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-57-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-22-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-52-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-63-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3444-58-0x0000000004780000-0x0000000004809000-memory.dmp

Filesize
548KB

Download
memory/3904-35-0x000002006FCF0000-0x000002006FD79000-memory.dmp

Filesize
548KB

Download
memory/3904-31-0x000002006FCF0000-0x000002006FD79000-memory.dmp

Filesize
548KB

Download
memory/4204-40-0x0000021FAEAD0000-0x0000021FAEB59000-memory.dmp

Filesize
548KB

Download
memory/4204-36-0x0000021FAEAD0000-0x0000021FAEB59000-memory.dmp

Filesize
548KB

Download
memory/4984-23-0x00000000004E0000-0x0000000000569000-memory.dmp

Filesize
548KB

Download
memory/4984-17-0x00000000004E0000-0x0000000000569000-memory.dmp

Filesize
548KB

Download
memory/6080-50-0x0000017BD52E0000-0x0000017BD5369000-memory.dmp

Filesize
548KB

Download
memory/6080-46-0x0000017BD52E0000-0x0000017BD5369000-memory.dmp

Filesize
548KB

Download