Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 18:54
Static task
static1
Behavioral task
behavioral1
Sample
downloader11.exe
Resource
win7-20240705-en
General
-
Target
downloader11.exe
-
Size
70.1MB
-
MD5
7e4b04a254d52d6745a5d614ad447636
-
SHA1
09972b7895437ba28485ed0be0fadc22d6b710b6
-
SHA256
769e75f011679a606c9a6afbb6380942d08389ace334bfa7399b44bfcbc7db19
-
SHA512
e85d6e25cdbf6833de0586d477e0fe3741d5223e4f3be8ccc96984dc63eef045ccdf68aaae51c2ff2205da7f911008fbba7915d7553abb5ae92f9bc73c2cc2f8
-
SSDEEP
393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qRsGg4GUo3N3:lWoI7zGP5ahWc3ImF
Malware Config
Extracted
xworm
83.38.19.195:1603
-
Install_directory
%ProgramData%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 10 IoCs
Processes:
resource yara_rule C:\Users\Public\OneDrive.exe family_xworm C:\Users\Public\Runtime Broker.exe family_xworm C:\Users\Public\svhost.exe family_xworm behavioral2/memory/3880-49-0x0000000000790000-0x00000000007BC000-memory.dmp family_xworm C:\Users\Public\WmiPrvSE.exe family_xworm behavioral2/memory/1412-65-0x0000000000800000-0x0000000000816000-memory.dmp family_xworm C:\Users\Public\SecurityHealthSystray.exe family_xworm behavioral2/memory/4424-76-0x0000000000A30000-0x0000000000A46000-memory.dmp family_xworm behavioral2/memory/536-80-0x00000000001B0000-0x00000000001F4000-memory.dmp family_xworm behavioral2/memory/3080-79-0x0000000000400000-0x0000000000424000-memory.dmp family_xworm -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
notepad.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ notepad.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4012 powershell.exe 4036 powershell.exe 2096 powershell.exe 2072 powershell.exe 2076 powershell.exe 772 powershell.exe 4032 powershell.exe 8 powershell.exe 2440 powershell.exe 3896 powershell.exe 2388 powershell.exe 2104 powershell.exe 3672 powershell.exe 4600 powershell.exe 4508 powershell.exe 4132 powershell.exe 2020 powershell.exe 3612 powershell.exe 3764 powershell.exe 3464 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion notepad.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svhost.exeSecurityHealthSystray.exeWmiPrvSE.exenotepad.exeOneDrive.exeRuntime Broker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation svhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation SecurityHealthSystray.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation notepad.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation OneDrive.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Runtime Broker.exe -
Drops startup file 9 IoCs
Processes:
svhost.exeOneDrive.exeRuntime Broker.exeWmiPrvSE.exeSecurityHealthSystray.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk svhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk OneDrive.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk OneDrive.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk Runtime Broker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk WmiPrvSE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk SecurityHealthSystray.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk WmiPrvSE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk SecurityHealthSystray.exe -
Executes dropped EXE 18 IoCs
Processes:
notepad.exeOneDrive.exeRuntime Broker.exesvhost.exeWmiPrvSE.exeSecurityHealthSystray.exeSecurityHealthSystray.exesvhost.exeRuntime Broker.exeWmiPrvSE.exeSecurityHealthSystray.exesvhost.exeRuntime Broker.exeWmiPrvSE.exeSecurityHealthSystray.exesvhost.exeRuntime Broker.exeWmiPrvSE.exepid process 3124 notepad.exe 3880 OneDrive.exe 1412 Runtime Broker.exe 4424 svhost.exe 3080 WmiPrvSE.exe 536 SecurityHealthSystray.exe 4360 SecurityHealthSystray.exe 4120 svhost.exe 2036 Runtime Broker.exe 4792 WmiPrvSE.exe 3720 SecurityHealthSystray.exe 3604 svhost.exe 1680 Runtime Broker.exe 4732 WmiPrvSE.exe 2236 SecurityHealthSystray.exe 2604 svhost.exe 4812 Runtime Broker.exe 376 WmiPrvSE.exe -
Loads dropped DLL 1 IoCs
Processes:
notepad.exepid process 3124 notepad.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\notepad.exe agile_net behavioral2/memory/3124-8-0x0000000000250000-0x0000000000A04000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\e6acf542-692a-4eeb-8143-80ce8cd764ce\AgileDotNetRT64.dll themida behavioral2/memory/3124-15-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp themida behavioral2/memory/3124-17-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp themida behavioral2/memory/3124-81-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp themida -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
SecurityHealthSystray.exeOneDrive.exesvhost.exeRuntime Broker.exeWmiPrvSE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe" SecurityHealthSystray.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" Runtime Broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Users\\Public\\WmiPrvSE.exe" WmiPrvSE.exe -
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
notepad.exepid process 3124 notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2284 schtasks.exe 3492 schtasks.exe 2880 schtasks.exe 5104 schtasks.exe 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4012 powershell.exe 4012 powershell.exe 4012 powershell.exe 8 powershell.exe 8 powershell.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe 3672 powershell.exe 3672 powershell.exe 2440 powershell.exe 2440 powershell.exe 8 powershell.exe 2440 powershell.exe 3672 powershell.exe 4036 powershell.exe 4036 powershell.exe 3896 powershell.exe 3896 powershell.exe 2096 powershell.exe 2096 powershell.exe 4036 powershell.exe 2388 powershell.exe 2388 powershell.exe 3612 powershell.exe 3612 powershell.exe 2388 powershell.exe 3896 powershell.exe 3612 powershell.exe 2096 powershell.exe 2072 powershell.exe 2072 powershell.exe 2076 powershell.exe 2076 powershell.exe 4600 powershell.exe 4600 powershell.exe 3764 powershell.exe 3764 powershell.exe 2076 powershell.exe 2072 powershell.exe 4600 powershell.exe 3764 powershell.exe 3464 powershell.exe 3464 powershell.exe 3464 powershell.exe 4508 powershell.exe 4508 powershell.exe 4132 powershell.exe 4132 powershell.exe 772 powershell.exe 772 powershell.exe 4132 powershell.exe 2104 powershell.exe 2104 powershell.exe 4508 powershell.exe 2104 powershell.exe 772 powershell.exe 4032 powershell.exe 4032 powershell.exe 4032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
OneDrive.exeRuntime Broker.exesvhost.exeSecurityHealthSystray.exeWmiPrvSE.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSecurityHealthSystray.exesvhost.exeRuntime Broker.exeWmiPrvSE.exeSecurityHealthSystray.exesvhost.exeRuntime Broker.exeWmiPrvSE.exeSecurityHealthSystray.exesvhost.exeRuntime Broker.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 3880 OneDrive.exe Token: SeDebugPrivilege 1412 Runtime Broker.exe Token: SeDebugPrivilege 4424 svhost.exe Token: SeDebugPrivilege 536 SecurityHealthSystray.exe Token: SeDebugPrivilege 3080 WmiPrvSE.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 3672 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 3896 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 3764 powershell.exe Token: SeDebugPrivilege 3464 powershell.exe Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 4132 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeDebugPrivilege 3080 WmiPrvSE.exe Token: SeDebugPrivilege 536 SecurityHealthSystray.exe Token: SeDebugPrivilege 4424 svhost.exe Token: SeDebugPrivilege 3880 OneDrive.exe Token: SeDebugPrivilege 1412 Runtime Broker.exe Token: SeDebugPrivilege 4360 SecurityHealthSystray.exe Token: SeDebugPrivilege 4120 svhost.exe Token: SeDebugPrivilege 2036 Runtime Broker.exe Token: SeDebugPrivilege 4792 WmiPrvSE.exe Token: SeDebugPrivilege 3720 SecurityHealthSystray.exe Token: SeDebugPrivilege 3604 svhost.exe Token: SeDebugPrivilege 1680 Runtime Broker.exe Token: SeDebugPrivilege 4732 WmiPrvSE.exe Token: SeDebugPrivilege 2236 SecurityHealthSystray.exe Token: SeDebugPrivilege 2604 svhost.exe Token: SeDebugPrivilege 4812 Runtime Broker.exe Token: SeDebugPrivilege 376 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
downloader11.execmd.exenotepad.exeOneDrive.exeRuntime Broker.exesvhost.exeSecurityHealthSystray.exeWmiPrvSE.exedescription pid process target process PID 2828 wrote to memory of 3448 2828 downloader11.exe cmd.exe PID 2828 wrote to memory of 3448 2828 downloader11.exe cmd.exe PID 2828 wrote to memory of 1632 2828 downloader11.exe cmd.exe PID 2828 wrote to memory of 1632 2828 downloader11.exe cmd.exe PID 1632 wrote to memory of 3124 1632 cmd.exe notepad.exe PID 1632 wrote to memory of 3124 1632 cmd.exe notepad.exe PID 3124 wrote to memory of 3880 3124 notepad.exe OneDrive.exe PID 3124 wrote to memory of 3880 3124 notepad.exe OneDrive.exe PID 3124 wrote to memory of 1412 3124 notepad.exe Runtime Broker.exe PID 3124 wrote to memory of 1412 3124 notepad.exe Runtime Broker.exe PID 3124 wrote to memory of 4424 3124 notepad.exe svhost.exe PID 3124 wrote to memory of 4424 3124 notepad.exe svhost.exe PID 3124 wrote to memory of 3080 3124 notepad.exe WmiPrvSE.exe PID 3124 wrote to memory of 3080 3124 notepad.exe WmiPrvSE.exe PID 3124 wrote to memory of 536 3124 notepad.exe SecurityHealthSystray.exe PID 3124 wrote to memory of 536 3124 notepad.exe SecurityHealthSystray.exe PID 2828 wrote to memory of 4500 2828 downloader11.exe cmd.exe PID 2828 wrote to memory of 4500 2828 downloader11.exe cmd.exe PID 3880 wrote to memory of 4012 3880 OneDrive.exe powershell.exe PID 3880 wrote to memory of 4012 3880 OneDrive.exe powershell.exe PID 1412 wrote to memory of 8 1412 Runtime Broker.exe powershell.exe PID 1412 wrote to memory of 8 1412 Runtime Broker.exe powershell.exe PID 4424 wrote to memory of 2020 4424 svhost.exe powershell.exe PID 4424 wrote to memory of 2020 4424 svhost.exe powershell.exe PID 536 wrote to memory of 2440 536 SecurityHealthSystray.exe powershell.exe PID 536 wrote to memory of 2440 536 SecurityHealthSystray.exe powershell.exe PID 3080 wrote to memory of 3672 3080 WmiPrvSE.exe powershell.exe PID 3080 wrote to memory of 3672 3080 WmiPrvSE.exe powershell.exe PID 3880 wrote to memory of 3896 3880 OneDrive.exe powershell.exe PID 3880 wrote to memory of 3896 3880 OneDrive.exe powershell.exe PID 4424 wrote to memory of 4036 4424 svhost.exe powershell.exe PID 4424 wrote to memory of 4036 4424 svhost.exe powershell.exe PID 3080 wrote to memory of 2096 3080 WmiPrvSE.exe powershell.exe PID 3080 wrote to memory of 2096 3080 WmiPrvSE.exe powershell.exe PID 536 wrote to memory of 3612 536 SecurityHealthSystray.exe powershell.exe PID 536 wrote to memory of 3612 536 SecurityHealthSystray.exe powershell.exe PID 1412 wrote to memory of 2388 1412 Runtime Broker.exe powershell.exe PID 1412 wrote to memory of 2388 1412 Runtime Broker.exe powershell.exe PID 1412 wrote to memory of 2072 1412 Runtime Broker.exe powershell.exe PID 1412 wrote to memory of 2072 1412 Runtime Broker.exe powershell.exe PID 4424 wrote to memory of 2076 4424 svhost.exe powershell.exe PID 4424 wrote to memory of 2076 4424 svhost.exe powershell.exe PID 536 wrote to memory of 4600 536 SecurityHealthSystray.exe powershell.exe PID 536 wrote to memory of 4600 536 SecurityHealthSystray.exe powershell.exe PID 3880 wrote to memory of 3764 3880 OneDrive.exe powershell.exe PID 3880 wrote to memory of 3764 3880 OneDrive.exe powershell.exe PID 3080 wrote to memory of 3464 3080 WmiPrvSE.exe powershell.exe PID 3080 wrote to memory of 3464 3080 WmiPrvSE.exe powershell.exe PID 1412 wrote to memory of 772 1412 Runtime Broker.exe powershell.exe PID 1412 wrote to memory of 772 1412 Runtime Broker.exe powershell.exe PID 4424 wrote to memory of 4508 4424 svhost.exe powershell.exe PID 4424 wrote to memory of 4508 4424 svhost.exe powershell.exe PID 536 wrote to memory of 4132 536 SecurityHealthSystray.exe powershell.exe PID 536 wrote to memory of 4132 536 SecurityHealthSystray.exe powershell.exe PID 3880 wrote to memory of 2104 3880 OneDrive.exe powershell.exe PID 3880 wrote to memory of 2104 3880 OneDrive.exe powershell.exe PID 3080 wrote to memory of 4032 3080 WmiPrvSE.exe powershell.exe PID 3080 wrote to memory of 4032 3080 WmiPrvSE.exe powershell.exe PID 3080 wrote to memory of 2284 3080 WmiPrvSE.exe schtasks.exe PID 3080 wrote to memory of 2284 3080 WmiPrvSE.exe schtasks.exe PID 536 wrote to memory of 3492 536 SecurityHealthSystray.exe schtasks.exe PID 536 wrote to memory of 3492 536 SecurityHealthSystray.exe schtasks.exe PID 3880 wrote to memory of 2880 3880 OneDrive.exe schtasks.exe PID 3880 wrote to memory of 2880 3880 OneDrive.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\downloader11.exe"C:\Users\Admin\AppData\Local\Temp\downloader11.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""2⤵PID:3448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Public\OneDrive.exe"C:\Users\Public\OneDrive.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDrive.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:2880 -
C:\Users\Public\Runtime Broker.exe"C:\Users\Public\Runtime Broker.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:2828 -
C:\Users\Public\svhost.exe"C:\Users\Public\svhost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:5104 -
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:2284 -
C:\Users\Public\SecurityHealthSystray.exe"C:\Users\Public\SecurityHealthSystray.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:3492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""2⤵PID:4500
-
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
C:\ProgramData\Runtime Broker.exe"C:\ProgramData\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Users\Public\WmiPrvSE.exeC:\Users\Public\WmiPrvSE.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
C:\ProgramData\Runtime Broker.exe"C:\ProgramData\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
C:\Users\Public\WmiPrvSE.exeC:\Users\Public\WmiPrvSE.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\ProgramData\Runtime Broker.exe"C:\ProgramData\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
C:\Users\Public\WmiPrvSE.exeC:\Users\Public\WmiPrvSE.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
944B
MD52d06ce10e4e5b9e174b5ebbdad300fad
SHA1bcc1c231e22238cef02ae25331320060ada2f131
SHA25687d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c
SHA51238cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7
-
Filesize
944B
MD59c740b7699e2363ac4ecdf496520ca35
SHA1aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA5128885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af
-
Filesize
944B
MD5ef647504cf229a16d02de14a16241b90
SHA181480caca469857eb93c75d494828b81e124fda0
SHA25647002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710
SHA512a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1
-
Filesize
944B
MD5842eee3dc3a0924d1a287bd0d761c532
SHA1012d688d98698bfcee7178da3e43882455d86874
SHA256f278a3e84b8aaeae28dcd82e03ee55949dc71ed18da44fd18b217b2ad74de5f9
SHA5129d5919123bfa90a777b3c267dd8d751d0b31b0dd77b442abcf9c7ca44f3b4c0387d5bb5342b5c1a3a7823435ca1089de3758ef9caf14454993b9eb548bac5c0e
-
Filesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
Filesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
Filesize
944B
MD5465286a9b31a4fa4831f9d3a2925c88e
SHA14ba832802f83872ff47a59ace1057bceb38a1955
SHA25624522f12ccd8284ed705803f2c1a3b12ba7d675d300fed443ca9eb55fead55fb
SHA51284e4d5f00257670fea86e4397f3b814174609daf24488a82c4ce726f81b5891561a8c56d4053c76a8bc27318685d482dae5e15ba28c1cd14049c15bd552f95f5
-
Filesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
Filesize
944B
MD5a0029556e3dc9eb984c44114efbd8c3c
SHA1cfb4b2a6e7ff280d4105932025c59288b8fd9e78
SHA2567165399596ee49a876b216ee285a2bdbe44ee4e92cb8a42fad6959699f74062d
SHA5120ad0375e0fc0f7e50c29bd6099d84819c4a7a7032203d96e01d3544ae6258c510bcce06c11aa672c42707194eed52101083995da38538ddde85d33062cd71741
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
Filesize
7.7MB
MD55dc898e0f4a504cf08b3bf1121108cfd
SHA1ebccf6c07546640bcd6db32d99cf3e1a30a415c9
SHA25614cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf
SHA512a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02
-
Filesize
6KB
MD5307dca9c775906b8de45869cabe98fcd
SHA12b80c3a2fd4a235b2cc9f89315a554d0721c0dd1
SHA2568437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c
SHA51280c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c
-
Filesize
1KB
MD56cae93213a37ee0703c0a0d1dd311d5a
SHA11f0cce35b6c0ebc94edc09cdc52ee74f995b68a2
SHA2564db5eceecde1bc0412e53037786ac98c6b5ca8c6c6a746b6466eef219436b306
SHA512f413564ab0a2a584c70c022149eafd336ab7586d9de34469720eea0a86549a65290ffa9307ef037f79702a8ce541ebbffcac272d2dfd6c5bc47b1b57ae0370c0
-
Filesize
158KB
MD5f73513e6c124d9749dfd123151e6db5f
SHA14779c67fd22ca94d8e6493d2ff4926c420a6660d
SHA2561b6126e0c126c7bf6c89a8930e0ae65d09bb8bb6f1a5561e8c7108120ebdd0e0
SHA5127ffa503e5259c3273c64078ee0f7911e037f0a10629078d2ff269ae5db1eab528138c4d02dd06e0668521bc75a8e2a99e5df50002098be9f0dc47b87c0cae7b5
-
Filesize
61KB
MD591d837ae278e58ffae9b9cecb989127b
SHA15d95e758e763ac6390abd58e4e53238c6bb4c7a5
SHA256348d4b3310a62ffa0313285c4e7903d8757b6aa904b8614443a6ac966b4c392a
SHA512b645023240e0cb4029058c235031fed22fed79b93db324c6c385eb02291b3fe1d053585e6372e0f0b96265ff432b8f574d4e0a8c99edfd22069e417375c3870f
-
Filesize
250KB
MD5ffe034d7354384175a0c41efe19cb7df
SHA19601ec9a836547f21b39acc43b48fa5258863551
SHA256b3a04200c5bdc579d24c279e04c31db6f623177b629ea1086cb64362417ac910
SHA512e782dece3f1b9fa572f0efb587fdbbee6657c8f089656626c27d1ad032854aabec09eb35e63c91b53f061a44b2a595832ad2d8e01760a7d1df6e09157b3daa92
-
Filesize
127KB
MD5669b9254354d91b88d1e2ed0a819ad3a
SHA1aba685e5c4661bcf3b41b26ff7948c785b57a95e
SHA2563e96447e464c59ec274c7cba90ec8e88814273fcdec782ed896949f476c592e4
SHA512e9b268d92737e999d8e5297f6eb4038962d7bc610285dc746dd9d01ebaa1b9789eada1e131ed345a06fb6b608a73c34e7cfebc4797a9f34bdd304f23457ae0a4
-
Filesize
63KB
MD5407deed69dbb3dc1aa3e9fc1befdc54c
SHA1aa58d9656c172cdd23512dfaf14d202fb447ecf9
SHA2563c226cbe5a0e25ca489394ce37951eabb65ae0a86151d16d145fb63df2933128
SHA51245c6b2b9280e288517c8233cb2b90e49f214e354f6056cf7dd163e382c14b82508eaa6590166ffdcd265f2e3a3c612a25bd5166eafef825b896f53ede621b2da