Resubmissions

21-06-2024 12:22

240621-pj3qhszaka 10

21-06-2024 12:03

240621-n7676ssgkq 10

Analysis

  • max time kernel
    76s
  • max time network
    84s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 12:03

Errors

Reason
Machine shutdown

General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • MD5

    69119a27d94728deb85e51c343ca0173

  • SHA1

    f93da03f3678056d611196d1c837146277fc68dc

  • SHA256

    f54df54335eb1edb832f6a501d095b0d2011c32a81f061397e04908efab35b3e

  • SHA512

    ce7887a1abaac570a45344efa9793650c39134b89a1aaad5e1cbe8e71985e6515871622334b5da4cad520e865a4c7605e0587bb4174d54fbf129035eb5cd1e6c

  • SSDEEP

    24576:U2G/nvxW3Ww0tzm2QaiULPxZWv7q6cZIrDgVmAk:UbA30BQaVZrmH

Score
10/10

Malware Config

Signatures

  • DcRat 50 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortserverWin\hbvALF5ANwO637LJ.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\PortserverWin\serverwin.exe
          "C:\PortserverWin\serverwin.exe"
          4⤵
          • DcRat
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3728
          • C:\PortserverWin\serverwin.exe
            "C:\PortserverWin\serverwin.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Program Files\Windows Multimedia Platform\lsass.exe
              "C:\Program Files\Windows Multimedia Platform\lsass.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:548
              • C:\Windows\System32\shutdown.exe
                "C:\Windows\System32\shutdown.exe" /s /t 0
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3752
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4120,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
    1⤵
      PID:1120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\PortserverWin\SearchApp.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\PortserverWin\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\PortserverWin\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\PortserverWin\RuntimeBroker.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PortserverWin\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\PortserverWin\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\PortserverWin\taskhostw.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\PortserverWin\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\PortserverWin\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\PortserverWin\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\PortserverWin\msedge.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\PortserverWin\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\PortserverWin\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\msedge.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Speech\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\PortserverWin\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\msedge.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\msedge.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1088
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4484
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffe9542ab58,0x7ffe9542ab68,0x7ffe9542ab78
        2⤵
          PID:1276
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:2
          2⤵
            PID:396
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
            2⤵
              PID:4912
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
              2⤵
                PID:3708
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:1
                2⤵
                  PID:3952
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:1
                  2⤵
                    PID:4072
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:1
                    2⤵
                      PID:5128
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
                      2⤵
                        PID:5172
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
                        2⤵
                          PID:5180
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
                          2⤵
                            PID:5420
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
                            2⤵
                              PID:5488
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
                              2⤵
                                PID:5536
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
                                2⤵
                                • Drops file in Program Files directory
                                PID:5700
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:2
                                2⤵
                                • Drops file in Program Files directory
                                PID:5812
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:8
                                2⤵
                                • Drops file in Program Files directory
                                PID:5880
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                              1⤵
                                PID:2032
                              • C:\Windows\system32\werfault.exe
                                werfault.exe /h /shared Global\e937ebf6b0a440a3b435226593782774 /t 4360 /p 1248
                                1⤵
                                  PID:4952
                                • C:\Windows\system32\LogonUI.exe
                                  "LogonUI.exe" /flags:0x4 /state0:0xa38f7855 /state1:0x41c64e6d
                                  1⤵
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of SetWindowsHookEx
                                  PID:804

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.bat
                                  Filesize

                                  32B

                                  MD5

                                  f97003508c4a7da05b8dd7ec2eb5d19d

                                  SHA1

                                  57c69807156d660c0394caf53af6d7edb10419ae

                                  SHA256

                                  0065d6587056351f930803b1030b2d1b210e41a4a731f3d0e4f55d903a0b80e0

                                  SHA512

                                  86c8a7697d0593dc48bd1343af8c114e85fa422380ae7cfcbd549d4b740e7aff4faf23d0ff06d1c7e4b6a1b0f3eafe15ddfbc451d42815ec23b4ee7e6437124d

                                • C:\PortserverWin\hbvALF5ANwO637LJ.vbe
                                  Filesize

                                  215B

                                  MD5

                                  ac7f40d86252e33f7eaa68237c8ef92e

                                  SHA1

                                  3cca1a9e29e8ab5a3a72ac9c8eac2c482a0da30b

                                  SHA256

                                  90cd9a07fcbef6f39445d04035adbdcde5f1cc91e7f7f084516efbc5ba95c3ca

                                  SHA512

                                  1d66fedbc2b1d882b007d4b36c3ffef1c5d550c60ceb14c7517b48e08deb2f7e868fdd419d6545e07fe4a859ff088746f8a6892b9e99a8d2216f7c3a4bc2c694

                                • C:\PortserverWin\serverwin.exe
                                  Filesize

                                  828KB

                                  MD5

                                  eee8aebed57ea1fb9fb307a967e6892a

                                  SHA1

                                  047a0c84eeba395bf99e99872ad56bb35416bb2b

                                  SHA256

                                  1d5d6374bc49780c31381696ad42a24369b398a2a85580196c031067f97e621d

                                  SHA512

                                  411d5d02d40de7ec4eb4679cc1047df0987060676bbd721efe099c6babbaead2dccdd68a394afe930c96bb34f40c0512ae4ca224c152f02721072cc14c04004d

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
                                  Filesize

                                  44KB

                                  MD5

                                  c33487dbfbcd56ed1abbd8474854abfa

                                  SHA1

                                  24567b9dd8db9ba8df90e39140b517611a363d46

                                  SHA256

                                  0667afe58e06cd33647019351f0531f17f1144fa7513018ce58d43bd36352191

                                  SHA512

                                  81f95f2247afb2b56fb56aa9f9fd81c89e44bb523c1cc865927d9e6f49b049ccffa45ebcd6bf8661a32fa3912916c53df6cc1c57dc268f15cc1495f458466540

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
                                  Filesize

                                  264KB

                                  MD5

                                  5b74936d4cd2113f9ac53293dfcbf272

                                  SHA1

                                  13645e0f19b336fa8a39bc4d37c53931aa52b0c1

                                  SHA256

                                  87c0d602bb4d97985e83aeaddb301f7d0bf8efd97e0ac8519b5aa5aa75cd41f9

                                  SHA512

                                  6a7c36c2a3686b7ab9018c74a8a19099ab5706c1de46e617b581242dc23020026bed212f428540d854fd4001b7a075dcb96b1c1cce71d2daf44ec73a83c40d7b

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2
                                  Filesize

                                  1.0MB

                                  MD5

                                  011e4aca502eff80e9b69ba422e1dc72

                                  SHA1

                                  be09cade14d8ebb3a8f5e7f0bace2efac4c75dba

                                  SHA256

                                  da52c160a1e6e0d2a6a3be6c40de0359229d3ff38cddf01723c635c38874ed95

                                  SHA512

                                  9ace6cc51c9eade6f8dc516043ab0a20c05c80e7f2166dec86d07b1a341ec011a966ed8613890d33e807d3955f6b21fa4b139f287e9016e199ed6377e533c554

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
                                  Filesize

                                  4.0MB

                                  MD5

                                  75a01a04e0e7f88fa8e12318b02eb958

                                  SHA1

                                  11a284f3b71d933602da82d9bfa4f2f851b4e8b4

                                  SHA256

                                  38c578c7567f13f1e3e8b11d58ce53b88e6a4863586008ac6c6e08880a8d5dc5

                                  SHA512

                                  dd2d1d2bf30b13ba574a0d2d3482133af2c9df3a5da0e534e8dcc3e5185898c80ac56d9e99f2b1f52c5e9c38e6527db752636637b9aa76698188558c0a6be492

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
                                  Filesize

                                  34KB

                                  MD5

                                  67936a4ce6ab9cc1e2adfbc9b23c3d95

                                  SHA1

                                  18e71ccafe31e399c81d0c3e887d8c00f02b4871

                                  SHA256

                                  b8cccde73423469ceb4e79658e960c72c4817e187f39365bec4f0677275dc5eb

                                  SHA512

                                  c7f9b155ad637b01b0c35ce66f00b638d0512df6abe00ee2fc713eb4efd76792d9c25d38be5ee51d844060f48cf98b6bb9d5b86f1d39d08eff261122ad9fd7ed

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
                                  Filesize

                                  59KB

                                  MD5

                                  caaa5222d179a24ca5540080c7018b99

                                  SHA1

                                  1f415a7a73a12a4c16f25709504f4e4e4beae9dd

                                  SHA256

                                  b729255f2e984a20fa0f0eb07e08368cf468fd17ff27a7d1dbb4042ec261d8cf

                                  SHA512

                                  71b4f878aa154ba4a8523c2e36faa8dbe3cfafa082b18796d8b69539dee9506253b9e55fc9b71cc2c9027d22ae08587b0e2ddadbc8d3395dbb73584d1ca1ebcc

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
                                  Filesize

                                  40KB

                                  MD5

                                  aa12ea792026e66caab5841d4d0b9bab

                                  SHA1

                                  47beeba1239050999e8c98ded40f02ce82a78d3f

                                  SHA256

                                  65fe153a832452e97f5d484440a7047e314d3a83cb61ad2508fed48a820e1de1

                                  SHA512

                                  0b2b1bb8851c60c9d4ab1d039b990a4de5799c97c50b45f64e36a21849c14e785f69196f674ac225b1419d7f501338054074cab6203d041361a4fa1ed8802b27

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                  Filesize

                                  264KB

                                  MD5

                                  f50f89a0a91564d0b8a211f8921aa7de

                                  SHA1

                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                  SHA256

                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                  SHA512

                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                  Filesize

                                  810B

                                  MD5

                                  0f488c7a14a1c7c43f9d92ebcf8a6b9b

                                  SHA1

                                  eb90656e471c4e99bb8e8d2fac7ea26324aee199

                                  SHA256

                                  f82b81e45d517266533e20ca12abd18f854498ead1040ba2217900d990a21f71

                                  SHA512

                                  805be9f7c0e7868c5f760c04c02ace4f03f63968bbffc0d8aece752f179046e952b3c2ff808b368a7ef7ab3729865c551655b2b4d5a6d35b86eaf8e0138b6737

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                  Filesize

                                  356B

                                  MD5

                                  9fa40de303da3c90b3dfe2c86f565537

                                  SHA1

                                  910cf6c5d0d89074e0c57e7dba0d1ffdfd26a240

                                  SHA256

                                  2fd55312bad78c63cdf6b4ebfae9d8e7c92c9c713e74f43399411bdc291ef8f1

                                  SHA512

                                  a2ba8345f8b75a94590b1c3afc90c85b441b10ea1d176d5210505fa5b14efcd76bc0cac8436dcf4cbaa315704c2dec129d4767b70dd3112409b017d6f8889645

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  7KB

                                  MD5

                                  7cae792de3adcb3b2ce82fdd3c2f3033

                                  SHA1

                                  cc5b07a7868cc9f9c92b0f08c3e5b305814606cb

                                  SHA256

                                  bae05549a8a8686b434faefaf9a6bc4aa4c02db8205c87e06997f201a8d29666

                                  SHA512

                                  7f131b3741693035fc9557fb2178a6dffe6f9c621b7947c0d5683f637e166a6a720a2ef0ed2bf3fe896a16f924916215fed137b231ac40be643d4cfa3e2c127d

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                  Filesize

                                  16KB

                                  MD5

                                  61c324ad299c8df87f6e3e04499e3b3a

                                  SHA1

                                  dae8df412afdab597e73391c652460fd519f54f4

                                  SHA256

                                  ae8d8d004e5f997bdaa01fffd79586f3bdcde7535469f244d7a9a93ebdae87e9

                                  SHA512

                                  4344f251fb71911baba15bba2d76dae6fc598d4d9d4ac1961521bf23010e7781db657c3c63d6328ef6f4e0810cf80d2d80fc0fcbd53428f354d673ec2424d749

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0
                                  Filesize

                                  44KB

                                  MD5

                                  76ffc65931b85614e357878de04ef35d

                                  SHA1

                                  e6381faed4134e60505abc0f0cbe3ec2f5dc0518

                                  SHA256

                                  c3dfef62b84bd5e292c35c73019be9f0ea14dc7a9b9cae6fdad3b0900d9ea1c9

                                  SHA512

                                  df482955f1824d8569fce0d8b5cef51c53ad4beda3f01c20d37a9e5368adcac104a56aa3fb6e9ad45d64deab45d7dbdebaac544d373de51f7b7501bf1346920e

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
                                  Filesize

                                  264KB

                                  MD5

                                  d401f1dd65cbc8c9e946f942ac538f64

                                  SHA1

                                  37dd5034afc2da322a80f32f8f938e2ea5182f25

                                  SHA256

                                  f465a0ed8fb2152353d29125a8d05fe18d3e7baad815111b5653e0879413626d

                                  SHA512

                                  2d2c8cd8aa342aa62653822a9ba4f49cfc085f852a50d6f3389d7ec76737a76078e12d768070a3f4a7b00c607871b05c3971306efe39bdf9788e3995a5158478

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3
                                  Filesize

                                  4.0MB

                                  MD5

                                  5ff8f8987906c1a7271ff7d9db09824e

                                  SHA1

                                  d4ae9dc7afc8689a09708b71a6bcd0df112f195e

                                  SHA256

                                  19fea9161a1d71c6c2476aaba0586c64cf6cc5b29db8c1836e0146f24269c071

                                  SHA512

                                  b2f45874a3de891e7b5a359d550036c339094a032349217774a993f3d612b05852c76c38c4d3cf7cdc9922f83088e937f2bc7c3d8c6474d3f28b6e1ec71ee915

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  270KB

                                  MD5

                                  fd0bfbd2c887a9a359c7011e214a22f2

                                  SHA1

                                  15c386f60a91a1e4737a0de05797f2cefe1c8d30

                                  SHA256

                                  97c0b751212e336ff6ed8ca786cd2688c69c916e6237abb7242d3582a8f4a3c5

                                  SHA512

                                  07fcd6f5f0d3ab2eb963f09ae97c4c762993560fcc169a7636ca8cb648ae14249e9be6187b47c9cae152fc995b72994f12b676f99544d891b238acb8a643e101

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  270KB

                                  MD5

                                  6c783f9cc9b25cd6be57068767728849

                                  SHA1

                                  fc55e0ae7dd2c9995d5f0707ac3033c88a7fffe3

                                  SHA256

                                  0f7648c71c26274302dbac733f5d8082b53320ee79fa2d19cf217c53699d3d95

                                  SHA512

                                  ad9bf26ccb9b0f37e45127176b608f8afef690451ee7658204f8febde08d1b719bfacd776a5478f652e851b6a03bf1d458662162cd23063b36e75de91a24f695

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\serverwin.exe.log
                                  Filesize

                                  1KB

                                  MD5

                                  7f3c0ae41f0d9ae10a8985a2c327b8fb

                                  SHA1

                                  d58622bf6b5071beacf3b35bb505bde2000983e3

                                  SHA256

                                  519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                                  SHA512

                                  8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                                • \??\pipe\crashpad_1248_YCXVTEBEVBGTRDPQ
                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                • memory/3728-13-0x00000000002A0000-0x0000000000376000-memory.dmp
                                  Filesize

                                  856KB

                                • memory/3728-12-0x00007FFE9ED43000-0x00007FFE9ED45000-memory.dmp
                                  Filesize

                                  8KB

                                • memory/4484-66-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-67-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-68-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-69-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-70-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-71-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-65-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-59-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-60-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB

                                • memory/4484-61-0x000001F447260000-0x000001F447261000-memory.dmp
                                  Filesize

                                  4KB