Analysis
-
max time kernel
491s -
max time network
589s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
28-10-2024 18:54
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
darkcomet
Guest16
2.tcp.eu.ngrok.io:17210
DC_MUTEX-R9CR7YJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
3cv9yzVNzLJy
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" riot.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1728 attrib.exe 3312 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation riot.exe -
Executes dropped EXE 2 IoCs
pid Process 3852 riot.exe 5312 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" riot.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 98 2.tcp.eu.ngrok.io -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe riot.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe:SmartScreen:$DATA riot.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe riot.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ riot.exe -
resource yara_rule behavioral1/files/0x0003000000040c98-216.dat upx behavioral1/memory/3852-315-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3852-320-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-321-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-323-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-324-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-337-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-349-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-350-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-370-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5312-380-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\da963fd9-0fe5-4288-a638-f317ec1077a5.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241028185429.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4544 5368 WerFault.exe 121 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language riot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ riot.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 251837.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 6116 msedge.exe 6116 msedge.exe 2192 msedge.exe 2192 msedge.exe 1268 identity_helper.exe 1268 identity_helper.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3852 riot.exe Token: SeSecurityPrivilege 3852 riot.exe Token: SeTakeOwnershipPrivilege 3852 riot.exe Token: SeLoadDriverPrivilege 3852 riot.exe Token: SeSystemProfilePrivilege 3852 riot.exe Token: SeSystemtimePrivilege 3852 riot.exe Token: SeProfSingleProcessPrivilege 3852 riot.exe Token: SeIncBasePriorityPrivilege 3852 riot.exe Token: SeCreatePagefilePrivilege 3852 riot.exe Token: SeBackupPrivilege 3852 riot.exe Token: SeRestorePrivilege 3852 riot.exe Token: SeShutdownPrivilege 3852 riot.exe Token: SeDebugPrivilege 3852 riot.exe Token: SeSystemEnvironmentPrivilege 3852 riot.exe Token: SeChangeNotifyPrivilege 3852 riot.exe Token: SeRemoteShutdownPrivilege 3852 riot.exe Token: SeUndockPrivilege 3852 riot.exe Token: SeManageVolumePrivilege 3852 riot.exe Token: SeImpersonatePrivilege 3852 riot.exe Token: SeCreateGlobalPrivilege 3852 riot.exe Token: 33 3852 riot.exe Token: 34 3852 riot.exe Token: 35 3852 riot.exe Token: 36 3852 riot.exe Token: SeIncreaseQuotaPrivilege 5312 msdcsc.exe Token: SeSecurityPrivilege 5312 msdcsc.exe Token: SeTakeOwnershipPrivilege 5312 msdcsc.exe Token: SeLoadDriverPrivilege 5312 msdcsc.exe Token: SeSystemProfilePrivilege 5312 msdcsc.exe Token: SeSystemtimePrivilege 5312 msdcsc.exe Token: SeProfSingleProcessPrivilege 5312 msdcsc.exe Token: SeIncBasePriorityPrivilege 5312 msdcsc.exe Token: SeCreatePagefilePrivilege 5312 msdcsc.exe Token: SeBackupPrivilege 5312 msdcsc.exe Token: SeRestorePrivilege 5312 msdcsc.exe Token: SeShutdownPrivilege 5312 msdcsc.exe Token: SeDebugPrivilege 5312 msdcsc.exe Token: SeSystemEnvironmentPrivilege 5312 msdcsc.exe Token: SeChangeNotifyPrivilege 5312 msdcsc.exe Token: SeRemoteShutdownPrivilege 5312 msdcsc.exe Token: SeUndockPrivilege 5312 msdcsc.exe Token: SeManageVolumePrivilege 5312 msdcsc.exe Token: SeImpersonatePrivilege 5312 msdcsc.exe Token: SeCreateGlobalPrivilege 5312 msdcsc.exe Token: 33 5312 msdcsc.exe Token: 34 5312 msdcsc.exe Token: 35 5312 msdcsc.exe Token: 36 5312 msdcsc.exe Token: SeDebugPrivilege 5484 taskmgr.exe Token: SeSystemProfilePrivilege 5484 taskmgr.exe Token: SeCreateGlobalPrivilege 5484 taskmgr.exe Token: 33 5484 taskmgr.exe Token: SeIncBasePriorityPrivilege 5484 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5312 msdcsc.exe 5484 taskmgr.exe 5484 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 2192 msedge.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe 5484 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5312 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1208 2192 msedge.exe 81 PID 2192 wrote to memory of 1208 2192 msedge.exe 81 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 1500 2192 msedge.exe 83 PID 2192 wrote to memory of 6116 2192 msedge.exe 84 PID 2192 wrote to memory of 6116 2192 msedge.exe 84 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 PID 2192 wrote to memory of 2252 2192 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1728 attrib.exe 3312 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dosya.co/wtw90d8js92r/riot.exe.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7fff3b6446f8,0x7fff3b644708,0x7fff3b6447182⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:22⤵PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:82⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:12⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:2620 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff66aa15460,0x7ff66aa15470,0x7ff66aa154803⤵PID:5980
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5932 /prefetch:82⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:12⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6968 /prefetch:82⤵PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,4115949236003847490,15724951311153640072,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6396 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1612
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4176
-
C:\Users\Admin\Downloads\riot.exe"C:\Users\Admin\Downloads\riot.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Downloads\riot.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\riot.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Downloads" +s +h2⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3312
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5312 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 3644⤵
- Program crash
PID:4544
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5368 -ip 53681⤵PID:1508
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5484
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a134f1844e0964bb17172c44ded4030f
SHA1853de9d2c79d58138933a0b8cf76738e4b951d7e
SHA25650f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589
SHA512c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4
-
Filesize
152B
MD578bc0ec5146f28b496567487b9233baf
SHA14b1794d6cbe18501a7745d9559aa91d0cb2a19c1
SHA256f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109
SHA5120561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5c8cc378f57e081c0a497aecaa2b18987
SHA1e11f4652a0d847d295e0785f5ba7c07f76900157
SHA256097bd2dd4f1b4e18571e499f4a1f543187be6248d37080c915d7f4169373700a
SHA512d5c20c5260c3833b7a7eae72982127c93b0d89b0073f6d066765e04c4f859490aa78c9a2959390ff8a10c7ebcfade13922eec3ac759aca8ad47f69452c3b4f32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5ec05141d50dcb547787e8457cd6ec76a
SHA13b7116847a47aac132b24dd08881e149fda988f8
SHA25647c1c8f27f6b79840a78e5638dfa4a0ab376eea81a1fd6947eb2028ef2960ba8
SHA5128b28f412895d39239901a4ab230294871980ab3727ebfd8bd22ea9072b4bd97c69cc6d42245a0ee2182ae9365212638d8d234dbcda17eeb69d40fd5027f40873
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD5e164783730b553dc8167a7ccc7b61008
SHA1437ccc16064a504deaaf7b8419df83fd280bf1cc
SHA2560b25f7dd08a90bcb2dbbca1d41ef480b06caa1f2a22dc2dbf6f57a3db52579e9
SHA512a98da310b176ed3ea953927f30d5cd23b2e0ed37fcc5175c1ca19f953d9a9046c51a6e3bbe42cb854d268babdc2ae1071e23fd76571738c5e1de3a376d7404fa
-
Filesize
1KB
MD5de64957728fae5649a610c8c187065db
SHA1084002ec61351a77c42e6ee6c1c188e51550d11a
SHA25683ee2eaaccae59b109b8f47e569414fc2df37c1d04c9bb08ba453da1367da887
SHA51246489863c587b2d38291ea6154d50b9e5a0139a56c35c87a35569529adfccbe7760759ce569f4d5a567e3cd7cc723354af80633f16c521e58061ddd0dc948b8e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD5964c4a5dfd57f529202f5fe68cdc93ea
SHA170d82189a972f76a9f90ce60cbe3686cd1ff7d53
SHA2560379bb22c2ffb3b80f277d04860191053becd14d315cc727b6c1aa4800014b89
SHA512056324147b1ea166f4bdffa29551bc7f52ec6dc6cfae2f416de4e54ba61c40229beb7ae23aff24bae327400b72451a498fc85556c3b22c28df8115f309aa03a9
-
Filesize
6KB
MD5b1584918fd016878c973f6403489de0c
SHA1c06b59ee995bc4229883ed01d580013357587a21
SHA25678c5ad530db7161def653fe959fb9cfca632633051fae51d063cdfabbdf198e2
SHA51203c7c3ca39a331bfcf2a405968078f2df7cc57f56b3397449d9f61ed982aefc019a6c2cee90fe7cef83737d97429d7b61785c11e540148b7740f3ce1de7ca379
-
Filesize
5KB
MD5a684346125a9e114ae99a182076f84e6
SHA19bcd1c8f061d5f8c3b2240682e5dcd35cadecd52
SHA256c978bb75bc6fb3752f479910bb500ee58f5457cfcd2ba29d8e3a87c3b448f2f1
SHA5128ed8f05520511977c72f0a057d44d624ca7a8025bd518a7d972ccc9ea91dec2d2e3102ed7fde0123fad8249b851e53b8624371319e024b4a3de45b43e5a4975c
-
Filesize
7KB
MD5b6c2c22a75c33e2a9a62abf706e37fec
SHA152ad42c29b9bf499ba4ced9e935b12910fc7c0bf
SHA256d1d3a55a4179b207ed94c265620ca8496eeff08d9b3e102aaeb8a610b0615478
SHA512425e3791c760cc7dd2914dd584f6673a1c52bdac59645924a8e5d8c206d96fc73dc2427feb427f5942c2494dc519cfcd59fc5ed4ca3efe811abbf247ca041135
-
Filesize
6KB
MD5f1ec540b8dd805aeec03e73885bdf0ff
SHA1af7e5d63c3c11cd4edabb8cf62187ef491d665e5
SHA25675ebb16be551c8d62f2ca75a83716859c01a65c2b0b02ea7c9d4bdd6cfcf3000
SHA51204d427499dae46f5a8d3fc7ae2e3e1478c9a137146a08ea83153a87b0c4d3c08d80a745f9a2b7cc7b990fbc9ecb09f0e60b97ae6aa6bb9d117a69e08d74b3ecf
-
Filesize
7KB
MD52ba3a012487c7300d2f6c63a5f0a31bd
SHA108cbb37d74de3f8e42ca36ffc1543a573e2893a5
SHA2569dac0badceb3e7b6fd012640e48692469e98a84fc73419e8945800eae4f68e51
SHA51265a83d80aa2b4cf84ef1eb776c574a09adf2c8496a73f6e2022767a7f7b4a843698cfbc60ed5d8df0f1000ebdcaf6fd412f1812ac615b2b91a3d0043128c49e9
-
Filesize
7KB
MD52890ccd476fb8aa21d34264e7fb5a334
SHA1493c240666c4eeed6c1807d11b52de43cd2063f4
SHA25628b9c704f428dfbc76b26e2ccbd45cb7ede65ed9fb9004435b56bac90124d3ef
SHA512d599a80a6fcba9e560e27d67d19a81a7f2102702423f82f995a8085d461d974c0993787c426a747cc94ade77a1e9827419cde5d7240a45e242107431cb0148c2
-
Filesize
24KB
MD59010fe212d7da97a4e9cf63a903ee7a4
SHA18f124a736d045eea3c50a9597d18c9af8b128e28
SHA256c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834
SHA512f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326
-
Filesize
24KB
MD521320325bdfc20c6f4e4d136228fc9c5
SHA17e96950811d7ddbc1daeb7341ddb9768980bf2b5
SHA2565e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e
SHA512ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5c492ea9a9108c6929082dbbe88ba03cd
SHA1e48a74f70ed8eb282d30aee2e0632afa84d2a006
SHA256f31b1634ed044f7990f18f011b5b9ed9c1b8f7f9c30641fdefee630cdad8e1e4
SHA512eb6eede6e6814dd158382c6d96347baa5d036bfa08f559e0a1521ebe44b4cbb273759e3fcac014a21acdf3e892806eac11bcb6c201b17ea37fea85465b2fe411
-
Filesize
10KB
MD50f409d8287a01235c236add5ea8d169a
SHA1c3400c7587af6108dc880c4cfbc323f870e06b2a
SHA256b8f6fb48a5506969c273e2fb5ad26c44cd8b20f87cfdf4724aba18228f2f3ba8
SHA51221f7aa8d842ccbb41ea3f2c21e3ffd50a62d61033f86980b1df12a0e385e0fe91dd3040f298fac637d685ad3fa4d8de90223295dcedac816a3211e32bfd7de52
-
Filesize
8KB
MD5e572e74f253f4f03c820ccc316b052e5
SHA1f90362d69639adc5d5b4683abdb8c8ad2d9dd5a2
SHA25662b1fb29f1132bb4fef5c3a6d182cd8d8d1f7d5fd3cd820f282b1a363703415c
SHA512fde6b36727887d5463093c3173aaade836ac8cf80ec3df81756c7d52b45341e27ea5d3f005ad797681c04d712e60f04a0fc40316df143008b4f21b1cfaf25947
-
Filesize
11KB
MD51d237f856a5904b1a81042e8928ecc7c
SHA1fe44e4c77126fa6de4689d04b8aaae78e3fa4b46
SHA256a4bf8bee2da645cb4046699d2eedb0d33f45377948c85658a4ceb54e920e5a44
SHA51221393a92865956a95e8c1af1ec2b636a6f851778b64fa383ac29ee4f9e379d7f3b30378e32bddce9a1359636ec2e1ee00a0b38ed8850859663c2e0112a752fd1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5fdea11b66933bd78ca53aaf6996dd514
SHA10e0f427d2a748a4a97a0bce16b3e5a947074e5c9
SHA2563338771120e29b4efc92c4f852b7ba5550df02a679c3fb30be2a39d9473d4b6c
SHA51246262b3335d789e43c96954038c10c09ed2f05f8af3c235ae664ac713ed2f7f1730fd12ac064a0fc5441638f2e6e334fa09b29850220eeba794bb18b5e547496
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD59fc564c62c5938e1d24e86e448ba5a85
SHA1736a9df5ea6dd4d29cb8152aa1bd791366c8e975
SHA2560b93f5eb87388708f5bc20002148b688cf10aac696ce60075ad98204e613a2ff
SHA512b00be92da7bd4ba102917a92fec9c9771f8e8d74b74e78c6b97f51ef01b6c45c59cf35a2a9e56c6b559a5ba377cdc5dbca360954a9e2e83443ff3ff711dcdc7d
-
Filesize
251KB
MD59d3bcabfd6110a4ca393174c4db4c088
SHA14ee67f681829fa04648d520cf741cca01272a03c
SHA2568bef41f084d6c3300b6daf7d2a8d5662d1dae35fdfe1d71d934d8de86b0910d0
SHA5124532ebffc33c8abb09589b7bd77ee51df0e43b2111b8a53e2bc5a6aace48fe41b2d4955b19df4a14f06d343c0050acb4c2f5f745b13043d7be3d080140c65121