Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-05-2024 20:13
Static task
static1
General
-
Target
7ebabb8b4bb51cf.exe
-
Size
8.1MB
-
MD5
9ae6eccd4947fa65016152db60a1e9c4
-
SHA1
ac6693c8fc03c286c93860e0c13474151c2f1557
-
SHA256
16771b819b03044356bad5b6d2a6b0f84e7fbd94c336743b58bbe5dc2e2ccbe8
-
SHA512
11974385658bd5a20819cf859c7058198f61fbad1566ddbd9788806097b559434ba8cd12a59ea82dd86e3c8a225571d3b2cac3a97514c20cdbe49f6a0423adf8
-
SSDEEP
49152:Evqgk7XySAxNIQcmwYEhwUdKTMcZONvPUMPbANZ9B0hKuSZDidHutYPibit:Phzt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/memory/3172-5-0x0000000000400000-0x000000000060E000-memory.dmp family_umbral behavioral1/files/0x000200000002a9d5-22.dat family_umbral behavioral1/memory/1788-31-0x000002C0A4990000-0x000002C0A49D0000-memory.dmp family_umbral -
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2944 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2944 schtasks.exe 97 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" savesref.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" savesref.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" savesref.exe -
resource yara_rule behavioral1/memory/3172-5-0x0000000000400000-0x000000000060E000-memory.dmp dcrat behavioral1/files/0x000700000002a9b6-16.dat dcrat behavioral1/files/0x000100000002a9d9-107.dat dcrat behavioral1/memory/2336-109-0x00000000003F0000-0x000000000057C000-memory.dmp dcrat behavioral1/files/0x000300000002a9ed-164.dat dcrat behavioral1/files/0x000400000002a9ec-174.dat dcrat behavioral1/memory/2220-193-0x0000000000570000-0x00000000006FC000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 256 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 4408 svchost.exe 1788 explorer.exe 2336 savesref.exe 2220 WmiPrvSE.exe 3360 WmiPrvSE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA savesref.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" savesref.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 4 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1052 set thread context of 3172 1052 7ebabb8b4bb51cf.exe 78 -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Photo Viewer\en-US\29c1c3cc0f7685 savesref.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\RCX6B12.tmp savesref.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\RCX6B13.tmp savesref.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\unsecapp.exe savesref.exe File created C:\Program Files\Windows Photo Viewer\en-US\unsecapp.exe savesref.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\RCX6D18.tmp savesref.exe File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\RCX6D96.tmp savesref.exe File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe savesref.exe File created C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe savesref.exe File created C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\24dbde2999530e savesref.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1948 schtasks.exe 1096 schtasks.exe 3544 schtasks.exe 2052 schtasks.exe 4144 schtasks.exe 3464 schtasks.exe 4768 schtasks.exe 696 schtasks.exe 2296 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4352 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599321522692659" chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings savesref.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4252 PING.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 256 powershell.exe 256 powershell.exe 2736 powershell.exe 2736 powershell.exe 1876 powershell.exe 1876 powershell.exe 2808 powershell.exe 2808 powershell.exe 2336 savesref.exe 2336 savesref.exe 2336 savesref.exe 2336 savesref.exe 2336 savesref.exe 1448 powershell.exe 1448 powershell.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 3356 chrome.exe 3356 chrome.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe 2220 WmiPrvSE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2220 WmiPrvSE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1052 7ebabb8b4bb51cf.exe Token: SeDebugPrivilege 1788 explorer.exe Token: SeDebugPrivilege 256 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: 36 1112 wmic.exe Token: SeDebugPrivilege 2336 savesref.exe Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: 36 1112 wmic.exe Token: SeIncreaseQuotaPrivilege 4140 wmic.exe Token: SeSecurityPrivilege 4140 wmic.exe Token: SeTakeOwnershipPrivilege 4140 wmic.exe Token: SeLoadDriverPrivilege 4140 wmic.exe Token: SeSystemProfilePrivilege 4140 wmic.exe Token: SeSystemtimePrivilege 4140 wmic.exe Token: SeProfSingleProcessPrivilege 4140 wmic.exe Token: SeIncBasePriorityPrivilege 4140 wmic.exe Token: SeCreatePagefilePrivilege 4140 wmic.exe Token: SeBackupPrivilege 4140 wmic.exe Token: SeRestorePrivilege 4140 wmic.exe Token: SeShutdownPrivilege 4140 wmic.exe Token: SeDebugPrivilege 4140 wmic.exe Token: SeSystemEnvironmentPrivilege 4140 wmic.exe Token: SeRemoteShutdownPrivilege 4140 wmic.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe 3356 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 1052 wrote to memory of 3172 1052 7ebabb8b4bb51cf.exe 78 PID 3172 wrote to memory of 4408 3172 RegAsm.exe 79 PID 3172 wrote to memory of 4408 3172 RegAsm.exe 79 PID 3172 wrote to memory of 4408 3172 RegAsm.exe 79 PID 3172 wrote to memory of 1788 3172 RegAsm.exe 80 PID 3172 wrote to memory of 1788 3172 RegAsm.exe 80 PID 4408 wrote to memory of 1600 4408 svchost.exe 81 PID 4408 wrote to memory of 1600 4408 svchost.exe 81 PID 4408 wrote to memory of 1600 4408 svchost.exe 81 PID 1788 wrote to memory of 2300 1788 explorer.exe 82 PID 1788 wrote to memory of 2300 1788 explorer.exe 82 PID 1788 wrote to memory of 256 1788 explorer.exe 84 PID 1788 wrote to memory of 256 1788 explorer.exe 84 PID 1788 wrote to memory of 2736 1788 explorer.exe 86 PID 1788 wrote to memory of 2736 1788 explorer.exe 86 PID 1788 wrote to memory of 1876 1788 explorer.exe 88 PID 1788 wrote to memory of 1876 1788 explorer.exe 88 PID 1788 wrote to memory of 2808 1788 explorer.exe 90 PID 1788 wrote to memory of 2808 1788 explorer.exe 90 PID 1600 wrote to memory of 4744 1600 WScript.exe 92 PID 1600 wrote to memory of 4744 1600 WScript.exe 92 PID 1600 wrote to memory of 4744 1600 WScript.exe 92 PID 4744 wrote to memory of 2336 4744 cmd.exe 94 PID 4744 wrote to memory of 2336 4744 cmd.exe 94 PID 1788 wrote to memory of 1112 1788 explorer.exe 95 PID 1788 wrote to memory of 1112 1788 explorer.exe 95 PID 1788 wrote to memory of 4140 1788 explorer.exe 98 PID 1788 wrote to memory of 4140 1788 explorer.exe 98 PID 1788 wrote to memory of 2032 1788 explorer.exe 100 PID 1788 wrote to memory of 2032 1788 explorer.exe 100 PID 1788 wrote to memory of 1448 1788 explorer.exe 105 PID 1788 wrote to memory of 1448 1788 explorer.exe 105 PID 1788 wrote to memory of 4352 1788 explorer.exe 113 PID 1788 wrote to memory of 4352 1788 explorer.exe 113 PID 1788 wrote to memory of 4072 1788 explorer.exe 115 PID 1788 wrote to memory of 4072 1788 explorer.exe 115 PID 4072 wrote to memory of 4252 4072 cmd.exe 117 PID 4072 wrote to memory of 4252 4072 cmd.exe 117 PID 2336 wrote to memory of 4620 2336 savesref.exe 118 PID 2336 wrote to memory of 4620 2336 savesref.exe 118 PID 4620 wrote to memory of 4012 4620 cmd.exe 120 PID 4620 wrote to memory of 4012 4620 cmd.exe 120 PID 4620 wrote to memory of 2220 4620 cmd.exe 121 PID 4620 wrote to memory of 2220 4620 cmd.exe 121 PID 3356 wrote to memory of 3768 3356 chrome.exe 128 PID 3356 wrote to memory of 3768 3356 chrome.exe 128 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 PID 3356 wrote to memory of 3200 3356 chrome.exe 129 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" savesref.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" savesref.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" savesref.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2300 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe"C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\discord\KVGHJrchTtXZ1.vbe"4⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\discord\91XI5GEPShJXCgG0eVHRJ.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Roaming\discord\savesref.exe"C:\Users\Admin\AppData\Roaming\discord\savesref.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0EpYUV7rVf.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4012
-
-
C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe"C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2220
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\explorer.exe"4⤵
- Views/modifies file attributes
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:4352
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\explorer.exe" && pause4⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
PID:4252
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1524
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb888ab58,0x7ffdb888ab68,0x7ffdb888ab782⤵PID:3768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:22⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:82⤵PID:244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:82⤵PID:3308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:12⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:12⤵PID:4168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4196 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:12⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4372 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:82⤵PID:2308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:82⤵PID:4040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3008 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:82⤵PID:1204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:82⤵PID:1456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1800,i,7780612314402273076,8940181584291854832,131072 /prefetch:82⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3556
-
C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exeC:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\WmiPrvSE.exe1⤵
- Executes dropped EXE
PID:3360
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5bf164fec3cd078761a70462be31050fb
SHA148ebbb45426cbe2056e5f0bca1bd03e06ddfa5a2
SHA2561d547dd97ae48345cae40c0a76258b3efa12dd8e9ea689f3d022e482584aa173
SHA512fc4dbc0aa8d172b2b6c706e778acf5e49a5fc4c1c1fa763bd01a6d4332f1731ae5a87bfb500027067c3bb1b7508326c81b0462c08667b2b7a68bdc1ec38e748b
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD564611990b96c87fb031c16adcee9575f
SHA1b60eb6c23aef95192d3da96fc072ed7625700423
SHA256558aec2d23423e4b683ad299a33cde84c73629f870ef9f6257d8edfd09c59bce
SHA512836bee29c0381912431b7e8e1dca0e03b57c9f97cfa346ff7dabdee114c869e798f4700470a1c87f15ca531873d08cf38ae1330ffd97101d42417b2f2e0822d8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5ebb07ccd5e413acc153af8096430eefd
SHA140c2146d9fc2cd4bf3db5815018ee12992cfc1ab
SHA256be6947235018372395e4c14d686cfc4db10d0eadf051043aa2304fbda62fa54c
SHA512ea8e60edf29f54a1993c73ab229bcc9162ab2cce287b3aa28993d0b30195fa293f5d94a24032fa0167b2b0d6ddc452a29aec1326cd9c3389166fef2eba1b6f74
-
Filesize
6KB
MD5b4bbe29292b2d135b1d24b7d1ca3250f
SHA12ee62bed440012af8e088e181caf8425c70356d2
SHA256ee552f9d7646c8f6e9ad8623e125e8d073055280a453b969a22ae1f023b5c846
SHA512f19628990e887098c22521873b9d02fbfb23ea69b27c62c1fb72376116d5f46743a32a9a8512713b6591901454a37a6aa9cf6388a21f4f6e6ae038a7cb7ef78f
-
Filesize
16KB
MD592a396cbe9d88bf84907d36e27eab43e
SHA138dcbe7cbc214c3e7988ca43cede5185d7c03781
SHA2566d2b84060388ef320aca8dc1c00d34298d593690661fb144c4681bfe15da5dd2
SHA5120058e98c923eba88757e932828c729cfec6c68c3ab95c726982594f30fc409a163006259bf3bab31712936fd31554c04385ce3ccfb134ec1338cadfb0fd5d948
-
Filesize
256KB
MD528acc555fe545484718981e299c93219
SHA1f8539b69481a33f6263df16e1ef1d49b52db8dee
SHA2561ae59d5e284344cfbf9662ec3a2f4ca0b632b3eab6dbece175f32a99f8644479
SHA512d71735eb191e044291dd3d79ac3c6d86d1f205be4fbf46a2597b88d302b30f9d7d00e81ed8d0bbbef388b5051e875b11782db123514f3cef4d739a854856d906
-
Filesize
256KB
MD537cdaa4de7205a54fa59b268e15a74b6
SHA15b450c723b6441abd62496748f666d3980455d2c
SHA256e9d8a96e439a71f16344090b3b77e95b6b69e14fac1c2590c4d594266c9aa70f
SHA512863044fad81ec70449745d2d024087fbf28775dda137f844e9e3a55985627940bf957083408f1b1c16997478d987ae463b92b03e2297b846f4a0d7f1c0ed58c0
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
1KB
MD510254f48b63b60ae6245903153592e48
SHA12c300d1c60c50e8896705022bc402c423681f40a
SHA256b3778ffb5260878714023fd1abc70c4e850b5397c2b32a3975b1ff28bfd96c69
SHA5126a7e7844c47a07bc8fd0b59267f0d1bac460f672ada93131edd65ca2eb33159de9f6291a1acde745f32991b364e9ceac697f2dfcf1a2696b51a9120dd7af77d4
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
948B
MD5d80c90c20d0f5c8f07229716f2beffef
SHA142dcd92a3a1059e5e559e1cd110ec98a3ac45e3e
SHA2565ba478485882ee7c7aa928af8c98e7754e876887e00a0c69520d20bd4926e7f6
SHA512d6a4b14a52154db7c5af19e60910774d61704e7a6243ba5f73e11f7b692ea75840730e04eaccb59387021edf57506e0c2999e4237e8d921a01053eb4a3274ecf
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
234B
MD5b9e976067931abdb98a9969997dcf9d9
SHA187e14822209b81ae3814134ba0235e671f35b7dd
SHA256667248f554c1f3ebef3c31c80b940ca2c551b1c0a80ee9e224879547dad6a51f
SHA512a8468073ecbc2e9b80ec188c4389e0c6008505b2828e1fa573e393197411dc9ed984f6d1f632376336b1ae02b885bd4dbbfc1d61f8cab41831dc209dc566fc46
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
231KB
MD55a006cd74e0225a15746bee6928d62f1
SHA1a17dabdb634d9667c3590436998252148a5fab92
SHA2560350fdb32852f781665e056a04f318e94c746612f7b4e3cd430d808c894aae4c
SHA51259d6b467cf48cf1aafaf13e1acfdd6ae4806403f0bc92e759590b04da4ecd719488300ecd412d92931e7b65daf0ab2229d7a165b31595334676b40942bb30f81
-
Filesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
Filesize
1.8MB
MD545008c4cc3fc25a5d5184742ae2fe72b
SHA1f5e7b3110df6917df0e07a822c313c52eec335fd
SHA25609d240d54a5458bcc9362ea0f06e23a345b69e196e127462d5f33e8a475ccd57
SHA5123059e4e59cb103f08fd13f776bf65d41b4cfec7a7f6610a2c945e134d4b913185f64bdf357bbc3c52e26da77f9e04a19c121611ad11fb40bf486aade1751e335
-
Filesize
32B
MD584814a18997996f8a95ba8e868396e90
SHA130b79b2158d922433ba25117fb79f8720470fb44
SHA25692c8ccb6b3a9abc0798ad760255c47356c3750a74b11e38590876c68927f3797
SHA512b1b820e12c49fe4993229222a218a769e5d6913f303d382baaff735f3b24a5b068adcfb344397004dd9d7aa637c4e9baedf2e3ca3dfb3f56e86c8c8f8cf9cf7e
-
Filesize
212B
MD5cdb5dc99d1017d58fdbfce66f048da76
SHA1e1903f365d81996da9810b9f0dc40bc65b3324c7
SHA256bd9e0e5f3e6379d03907896d71843cc2dbfef7e209cc0896b4755fa0422a3b43
SHA51272e3e2f3b5f385c402faf7ac89690a99806f648f90e85f46b01db66284f247c10dbe03e612e41c46775cd29fecaeede2fd26bc8dc2e22e252f9f1ce9b801f88d
-
Filesize
1.5MB
MD50a32536cc1d5e2a35d7d289b4ff0e76b
SHA198736b0b5a6f3709f81365c9e6477819074c3170
SHA2568d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710
SHA512b2d5d91eb7ecfc6eb295c63ecba5c3ceb4b4a865fc9a9f90bd1e82bff4bc39905baf9ab2962580ee708761632e5499694f3f823aa2f139bce809398262eb3b73
-
Filesize
1.5MB
MD5a0029298ab72def8735e0fdd28f253c2
SHA1dcec475e4f1813c7ed3f41bb032b639addf7f76c
SHA2565e32bed8b7e2b4439f4dc1d11e57e1628796debb216da90ac86cfbabb804c37c
SHA512d987afcd3aedde30dd3bf687817403345d939807f537914af12e6db6e86ca66f7d167d8b87b7418db5a99ff14fd6bae26f3fee5929471cf1ca48c47cd47e4ad0
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b