Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06/01/2025, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
injection.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
injection.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
injection.exe
Resource
win11-20241007-en
General
-
Target
injection.exe
-
Size
623KB
-
MD5
927bfe05fe20529a0d2446b2b3fb326f
-
SHA1
e09cef72f5deeba0c2b54ab6f8532003df9cb2ba
-
SHA256
5cf0d331c890274f77c18eb8a90d911a50f452515371abbe47863413fac0838a
-
SHA512
f16679811b448df10542d881e6576fb2bc9fc8421e7b68ae1cdfd8ed7684c7eb7ac073dac63795da06c8bbb008fb2e01748e76f5aefed4ad90e08430bf46693e
-
SSDEEP
12288:eRRTKABlLm78h7d78LR3ArlQ5Ya2NA3X3uj:/ABI72d7ZlLa2S3X3m
Malware Config
Extracted
xworm
license-kings.gl.at.ply.gg:65464
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x002800000004509e-46.dat family_xworm behavioral2/memory/1752-56-0x0000000000620000-0x0000000000666000-memory.dmp family_xworm -
Njrat family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3724 powershell.exe 3372 powershell.exe 4684 powershell.exe 300 powershell.exe 816 powershell.exe 976 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2432 netsh.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation XClient.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation injection.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation SearchApp.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 6 IoCs
pid Process 2676 SearchApp.exe 1752 XClient.exe 4292 Server.exe 2640 1.exe 3876 XClient.exe 4932 XClient.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cebbc17108ba69818fc4a0b0ed3bb871 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe\" .." 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cebbc17108ba69818fc4a0b0ed3bb871 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe\" .." 1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1956 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806762190947297" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 976 powershell.exe 976 powershell.exe 3724 powershell.exe 3724 powershell.exe 3372 powershell.exe 3372 powershell.exe 4684 powershell.exe 4684 powershell.exe 300 powershell.exe 300 powershell.exe 816 powershell.exe 816 powershell.exe 1752 XClient.exe 2084 chrome.exe 2084 chrome.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4112 injection.exe Token: SeBackupPrivilege 636 vssvc.exe Token: SeRestorePrivilege 636 vssvc.exe Token: SeAuditPrivilege 636 vssvc.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeIncreaseQuotaPrivilege 976 powershell.exe Token: SeSecurityPrivilege 976 powershell.exe Token: SeTakeOwnershipPrivilege 976 powershell.exe Token: SeLoadDriverPrivilege 976 powershell.exe Token: SeSystemProfilePrivilege 976 powershell.exe Token: SeSystemtimePrivilege 976 powershell.exe Token: SeProfSingleProcessPrivilege 976 powershell.exe Token: SeIncBasePriorityPrivilege 976 powershell.exe Token: SeCreatePagefilePrivilege 976 powershell.exe Token: SeBackupPrivilege 976 powershell.exe Token: SeRestorePrivilege 976 powershell.exe Token: SeShutdownPrivilege 976 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeSystemEnvironmentPrivilege 976 powershell.exe Token: SeRemoteShutdownPrivilege 976 powershell.exe Token: SeUndockPrivilege 976 powershell.exe Token: SeManageVolumePrivilege 976 powershell.exe Token: 33 976 powershell.exe Token: 34 976 powershell.exe Token: 35 976 powershell.exe Token: 36 976 powershell.exe Token: SeDebugPrivilege 3724 powershell.exe Token: SeIncreaseQuotaPrivilege 3724 powershell.exe Token: SeSecurityPrivilege 3724 powershell.exe Token: SeTakeOwnershipPrivilege 3724 powershell.exe Token: SeLoadDriverPrivilege 3724 powershell.exe Token: SeSystemProfilePrivilege 3724 powershell.exe Token: SeSystemtimePrivilege 3724 powershell.exe Token: SeProfSingleProcessPrivilege 3724 powershell.exe Token: SeIncBasePriorityPrivilege 3724 powershell.exe Token: SeCreatePagefilePrivilege 3724 powershell.exe Token: SeBackupPrivilege 3724 powershell.exe Token: SeRestorePrivilege 3724 powershell.exe Token: SeShutdownPrivilege 3724 powershell.exe Token: SeDebugPrivilege 3724 powershell.exe Token: SeSystemEnvironmentPrivilege 3724 powershell.exe Token: SeRemoteShutdownPrivilege 3724 powershell.exe Token: SeUndockPrivilege 3724 powershell.exe Token: SeManageVolumePrivilege 3724 powershell.exe Token: 33 3724 powershell.exe Token: 34 3724 powershell.exe Token: 35 3724 powershell.exe Token: 36 3724 powershell.exe Token: SeDebugPrivilege 2676 SearchApp.exe Token: SeDebugPrivilege 2676 SearchApp.exe Token: SeDebugPrivilege 1752 XClient.exe Token: SeDebugPrivilege 3372 powershell.exe Token: SeIncreaseQuotaPrivilege 3372 powershell.exe Token: SeSecurityPrivilege 3372 powershell.exe Token: SeTakeOwnershipPrivilege 3372 powershell.exe Token: SeLoadDriverPrivilege 3372 powershell.exe Token: SeSystemProfilePrivilege 3372 powershell.exe Token: SeSystemtimePrivilege 3372 powershell.exe Token: SeProfSingleProcessPrivilege 3372 powershell.exe Token: SeIncBasePriorityPrivilege 3372 powershell.exe Token: SeCreatePagefilePrivilege 3372 powershell.exe Token: SeBackupPrivilege 3372 powershell.exe Token: SeRestorePrivilege 3372 powershell.exe Token: SeShutdownPrivilege 3372 powershell.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
pid Process 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 2084 chrome.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe 5728 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1752 XClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4112 wrote to memory of 976 4112 injection.exe 84 PID 4112 wrote to memory of 976 4112 injection.exe 84 PID 4112 wrote to memory of 3724 4112 injection.exe 87 PID 4112 wrote to memory of 3724 4112 injection.exe 87 PID 4112 wrote to memory of 4800 4112 injection.exe 91 PID 4112 wrote to memory of 4800 4112 injection.exe 91 PID 4800 wrote to memory of 1956 4800 cmd.exe 93 PID 4800 wrote to memory of 1956 4800 cmd.exe 93 PID 2676 wrote to memory of 1752 2676 SearchApp.exe 94 PID 2676 wrote to memory of 1752 2676 SearchApp.exe 94 PID 2676 wrote to memory of 4292 2676 SearchApp.exe 95 PID 2676 wrote to memory of 4292 2676 SearchApp.exe 95 PID 2676 wrote to memory of 4292 2676 SearchApp.exe 95 PID 1752 wrote to memory of 3372 1752 XClient.exe 98 PID 1752 wrote to memory of 3372 1752 XClient.exe 98 PID 1752 wrote to memory of 4684 1752 XClient.exe 100 PID 1752 wrote to memory of 4684 1752 XClient.exe 100 PID 1752 wrote to memory of 300 1752 XClient.exe 103 PID 1752 wrote to memory of 300 1752 XClient.exe 103 PID 1752 wrote to memory of 816 1752 XClient.exe 105 PID 1752 wrote to memory of 816 1752 XClient.exe 105 PID 4292 wrote to memory of 2640 4292 Server.exe 107 PID 4292 wrote to memory of 2640 4292 Server.exe 107 PID 4292 wrote to memory of 2640 4292 Server.exe 107 PID 1752 wrote to memory of 828 1752 XClient.exe 109 PID 1752 wrote to memory of 828 1752 XClient.exe 109 PID 2640 wrote to memory of 2432 2640 1.exe 114 PID 2640 wrote to memory of 2432 2640 1.exe 114 PID 2640 wrote to memory of 2432 2640 1.exe 114 PID 2084 wrote to memory of 1496 2084 chrome.exe 120 PID 2084 wrote to memory of 1496 2084 chrome.exe 120 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4280 2084 chrome.exe 121 PID 2084 wrote to memory of 4544 2084 chrome.exe 122 PID 2084 wrote to memory of 4544 2084 chrome.exe 122 PID 2084 wrote to memory of 5084 2084 chrome.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\injection.exe"C:\Users\Admin\AppData\Local\Temp\injection.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A8A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1956
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Users\Admin\AppData\Roaming\SearchApp.exe"C:\Users\Admin\AppData\Roaming\SearchApp.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:816
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:828
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1.exe" "1.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2432
-
-
-
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"1⤵
- Executes dropped EXE
PID:3876
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9fb17cc40,0x7ff9fb17cc4c,0x7ff9fb17cc582⤵PID:1496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2064,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2052 /prefetch:22⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2096 /prefetch:32⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1792,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1628 /prefetch:82⤵PID:5084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:3420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4536 /prefetch:12⤵PID:4768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4872 /prefetch:82⤵PID:3576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5008 /prefetch:82⤵PID:3132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5052 /prefetch:82⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5008 /prefetch:82⤵PID:2228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4996 /prefetch:82⤵PID:1892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5600,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5608 /prefetch:82⤵PID:440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5620,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5756 /prefetch:22⤵PID:5420
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:788
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"1⤵
- Executes dropped EXE
PID:4932
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:5472
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:5608
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5728
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD56e98ae1d2b61186de8835d71b056c8fe
SHA1c6591f9c0298ba326056c842fd73b9912196b32f
SHA256a13179ab65693492691abedde8c1f833a48d4a4d14e9beffa460ff333ab5103e
SHA5120ba2056f73b06648c83da72e8fd3583ddd6060049a2ea82778753057c4b2f467c7dc2de2a0138bd249fe6c4d9f83e3a9355a0f5a5fd724d7e6270601f938b813
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
1KB
MD5d944e4de56b5e46891fb02d79e81f23f
SHA104e215fd3a1d752d4125f830d7aeb9f018a5ecb8
SHA2563393832f0abfd44a983d56f2c88d296a12f171a2453f6ae77300c339feb61b97
SHA512eb61f2b2096a47924ebaad69e89268e919631995f9421996e8da76ffedfe715d66406cd313ed9bd70b7759202c14e7d5d120dbe91b02417aac32c32687900cb9
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD519500a2b30ef982fb2de1e765f0a98bb
SHA1c0c1007a320328c28713317157e40447b36cbaf1
SHA256fa289e2dd585d7a37730b34591e5826c754a361e5341b33c3936b4c0bbfbefa0
SHA512f83d933c90ef33389e6591f0c762c36378a30f31760de7f3cc1074878ea9df86942f455ba3c8df26742d73ca3d3cae91716a22aba68b14eec349baf863893036
-
Filesize
9KB
MD533ebf7126e7f503e3d7dfbb2fe809c73
SHA15363cf3e653fe4a0389b2701d3c8594e24caa96b
SHA256ec386d135b4d14c5a68929391e7aeb42fcf8649f1966ec437d96c51010edbc22
SHA51231c441525370eee65a19e3a7c2e57eb412f522c56c4c8785052872aecbc4e37cf4f7ec1f553a97467bc8645c4dd1a0dae97fd92c95bc4b2eb094f57d8984a3c2
-
Filesize
9KB
MD5a4959eff6d3d9b3aef8eb23804dbf35d
SHA128ef8a08a4aea19981b8f4727e3aa3a052e50e52
SHA256a0a395cd1843aef59a98bf339c39649623394442605eb3d3110d92e3e7d4d3d5
SHA5124df0c826b81db441c84f1e4bc5b09e88451288f0349f318317124f11cb997b2b29fdce012159aad18a3fa8952895e19c29988c8b59b5ad16c8caca0eab377e1d
-
Filesize
9KB
MD52288404b54de7aa5c7367cc48dd9d5b9
SHA1a521cf3a6c97f66020f27f75d88483cc14ce3caa
SHA256be5c57de241ec8a4dce8302b5f29555344b9ae4d02a75d6a13cf5e2db915999c
SHA5123dc8ebab9002bc1c18a9471c8ce803eea8e1b17695a680470a58fbf1935e89e91f8cc942be164292961a9cfa1a636732e9ceefa6f0df49be38bb2351b6049855
-
Filesize
9KB
MD5032e120fdce5eb42c782f5aaf2235d9f
SHA12fc27b89e27cb82dc03e6a700b30613b88cd70b6
SHA256db81baaca8829efd9d6b440a451c1c8d257e97d075dd87faf9eb4fc023f23c18
SHA512093401849715f61627edb400c07a9c979367deaf20f597d3ccfaf1f583259618b1ea09826a8fb7dc0b9e82c3419c41de0c8bada2f25e8494b1e3f113d3b856a2
-
Filesize
15KB
MD59b91128a25cd5a178ce7faadbfcdd083
SHA1cede2bb09dbe3d28509f53a29951aa61e9eabe3c
SHA256835fa822dce9eb4347d151a1ae2fee5843dfa8be50eb125450e2002b5bb0e5f4
SHA512db79d6d4d832a0add248a6271181c80f7873aca6c34b5ec9f910337fbdcd75949ec2ecb5f01429f2a48ddc40053dfa567acb0fc220a03b74423ac501dec92dca
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD54bb9a27104ce19f146b00366bb5bc3ee
SHA1d8a16170525bb7dcc98721b8db43928db107661d
SHA256d5bfc4f784382b21c813ad53a2d3df79d99abf8ff7f1593a1b056710215b96f7
SHA512c62a6f47615470e6e968fab5d436528bd5780d012c591d48a3656404744ba15411b416bd3c38f7e876f2e0575a27a2ad3d9d1ae3c1b4f2764e21fb282159da6b
-
Filesize
233KB
MD5e45cdbcecb2727a0b75e5763a4ce49e9
SHA19fe4403163d65d639f8c7136e6d04f04bc9bb856
SHA25625f4a97f4c2270040260f55c7adad743f65b5a1c4d7f957594ca5a194227a46a
SHA5123f6762349d73f6b8014c3b52d5748b6da4f7a016a24b78e24601f3157a298dd1235a4b5ce95b43f78e87f5b09187483811f39e792db4ab70e2052de193fe2cd4
-
Filesize
233KB
MD512e626caf460a120904e137a8884ae2e
SHA10588fa8b6f369606cd92bef06dc08d410831f50b
SHA256c228d57b1e1d57579dd9408e1965736012a6f56a73eeb03ce95f5985d8db4301
SHA51234d83a672164720a49057695a47a8869508223c8f0cb846458994d2e9ba7e994c606ec925986f862aaf1cd2b3eb1b5003056ad5ad0a9008a4a9ae90286bcc4eb
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD562f8fbde65a185c33212ca7af47d090a
SHA101c207b3e8bf2dbdcd5962623b756f1808428e8e
SHA2561b1746722a174074f5cdee7d3e0b020d1e9a76a331499eebdcc1c1dbaf161346
SHA51278d6417c573e7f178abf6806c2f3041d6ff8dcced68d84c734abe51feccb611252ff7381267d30d240b6c07675893ca7e9eae01a506fd1df37e480a90ab45438
-
Filesize
1KB
MD5c67441dfa09f61bca500bb43407c56b8
SHA15a56cf7cbeb48c109e2128c31b681fac3959157b
SHA25663082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33
SHA512325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8
-
Filesize
1KB
MD567ef0f14508f4a9afefb7d29af6df045
SHA1dec3ac938341f94880e234cc14c03551d347376c
SHA256d66c5d46d0e7fbecbccabccc861c245e8999cf38882453a9f905dcbecbf0af51
SHA5128c6389063fdcfeed823bdbc888b7a1f429711c8061cf409e3987979d97386f76f4afe9b14dc32fd99cf15c627954d65f352f20d56958554ef9771f09c893d5a3
-
Filesize
1KB
MD5d0540f059d4d5915e8bc595a97f83f73
SHA1ea2cab054b2d48d44f6a1c55a48616283daf7217
SHA2567f008acc43db14bcee938cdeee539f7164d335829b54ebb585256d0a3b87e5d9
SHA512ec251b2728352d3d2072f4ae68cd1db62e425b9065c28f37cb31afd6a816d10b2c3ec27108a63fb065978199bf1e9f7c08b13ce98e3a22f077f81a32fca368ec
-
Filesize
1KB
MD5c9569d209d2c7736dd0bf85e5b391e18
SHA1123597f50a683c6b8b724460aba71b8fbd92d7a7
SHA256e65255c123e55f2972607e6f596be0e8f879a946bdceb235b635f557046bc4b7
SHA51240d491e266869814da5f87410ca2b1de279a1bcd89ef382b13940bdbb9f017d3ad6ece22ab98c8f06fb9d227c4adeafd390be622cb27dd08240f201e96a5ca6a
-
Filesize
23KB
MD5617df0fff22badfb0a8a64fcaf37dd0a
SHA109eea43487d4b35eab31f391ade2914e8d197faf
SHA2565571bb2b05b74d957016264da9326046b1fa58e879506888ed554d1a287db8fb
SHA512e3d1b0e4bfb0cdfe2b1dd91e4b26893f7e26f37377f5ebc47faa43e7be33d1dc22bb431d0a1bcdf9776ffb3b470d5dbf983db77eea1ef5d584413ff7e76f6cbe
-
Filesize
256KB
MD5ac9c9db04b5ec03ff5af25507cb23af8
SHA1de562bb91f6eb99b4d82292c81b3d3f7b0ab59bb
SHA256dedf73abd94a48ff77f196baac62648f8bebbf9ce0ca4096922d50b3c7c19a9a
SHA512a81252c7c457727c5b5fef089d19225f504c0b53dfde96467c3cb349acfa16897790e4b55fa6ac7f0b9fc9aaed3d6caa5194b3ac2de5875c6aa3da94223a48b7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
161B
MD59af03fe2e8ca20b22251183221124c63
SHA1b7b396fc2cfc12e34c9bfc612dd8784f93531301
SHA256c9a1fe276fe9338ac71c10d907f965bdf824b125c0ea3942edfa2762c2a2a6e1
SHA5121d873f05af5144f35c071bc87c6d1611b56bced9de3a38479a23cd6de73fa9bdce74c3a2840071586613c82184e5e61535adc5f385062fce66e61a2707d9bbf0
-
Filesize
771B
MD5a26f3cb7c739e660ecd04f911eed70e3
SHA122c0acf57c0edf276c81cfcd690644ab9fd73f32
SHA256e2e6daefcb8ebf99cb6a2e6b19efb36ae43e84a16fd1e89464afad7cc47f8649
SHA5124f58e16d911e84fee03b492c5e50caa8d98f123fe68023d8f65be41af3c2cff5f73e702553b0a6aad3499c4d895f263fbce703eede2f667bbb1c44008f3aace3
-
Filesize
623KB
MD5927bfe05fe20529a0d2446b2b3fb326f
SHA1e09cef72f5deeba0c2b54ab6f8532003df9cb2ba
SHA2565cf0d331c890274f77c18eb8a90d911a50f452515371abbe47863413fac0838a
SHA512f16679811b448df10542d881e6576fb2bc9fc8421e7b68ae1cdfd8ed7684c7eb7ac073dac63795da06c8bbb008fb2e01748e76f5aefed4ad90e08430bf46693e