Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 10:34
Behavioral task
behavioral1
Sample
e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe
Resource
win10-20220812-en
General
-
Target
e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe
-
Size
1.3MB
-
MD5
bdea4f81253364ed4951878734dafa47
-
SHA1
af6b5ce65545727255c3eebb0140cbd594d671d1
-
SHA256
e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987
-
SHA512
9a716cb44bfef5b64fe11a2b8adc3ce66a376438f3639db69bcfe222ceefbf958c02167233c5621f3aa61f00b5830b9b00212c19bd87561356c946dc8b77840c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3232 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 4176 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001ac0c-280.dat dcrat behavioral1/files/0x000800000001ac0c-281.dat dcrat behavioral1/memory/3884-282-0x0000000000A40000-0x0000000000B50000-memory.dmp dcrat behavioral1/files/0x000600000001ac24-311.dat dcrat behavioral1/files/0x000600000001ac24-310.dat dcrat behavioral1/files/0x000600000001ac24-611.dat dcrat behavioral1/files/0x000600000001ac24-618.dat dcrat behavioral1/files/0x000600000001ac24-624.dat dcrat behavioral1/files/0x000600000001ac24-629.dat dcrat behavioral1/files/0x000600000001ac24-634.dat dcrat behavioral1/files/0x000600000001ac24-639.dat dcrat behavioral1/files/0x000600000001ac24-644.dat dcrat behavioral1/files/0x000600000001ac24-649.dat dcrat behavioral1/files/0x000600000001ac24-655.dat dcrat behavioral1/files/0x000600000001ac24-660.dat dcrat behavioral1/files/0x000600000001ac24-665.dat dcrat -
Executes dropped EXE 13 IoCs
pid Process 3884 DllCommonsvc.exe 2032 taskhostw.exe 892 taskhostw.exe 4680 taskhostw.exe 3936 taskhostw.exe 4748 taskhostw.exe 4432 taskhostw.exe 4056 taskhostw.exe 544 taskhostw.exe 2492 taskhostw.exe 2412 taskhostw.exe 416 taskhostw.exe 1712 taskhostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ea9f0e6c9e2dcd DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\tracing\lsass.exe DllCommonsvc.exe File created C:\Windows\tracing\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5080 schtasks.exe 3232 schtasks.exe 4580 schtasks.exe 4348 schtasks.exe 4644 schtasks.exe 4640 schtasks.exe 5060 schtasks.exe 4652 schtasks.exe 4460 schtasks.exe 4528 schtasks.exe 4324 schtasks.exe 4944 schtasks.exe 3760 schtasks.exe 4660 schtasks.exe 4336 schtasks.exe 4508 schtasks.exe 4952 schtasks.exe 3164 schtasks.exe 3684 schtasks.exe 3228 schtasks.exe 3144 schtasks.exe 5076 schtasks.exe 4664 schtasks.exe 4680 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskhostw.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 3884 DllCommonsvc.exe 420 powershell.exe 1020 powershell.exe 1236 powershell.exe 3152 powershell.exe 1672 powershell.exe 612 powershell.exe 1040 powershell.exe 4696 powershell.exe 1236 powershell.exe 204 powershell.exe 420 powershell.exe 2032 taskhostw.exe 612 powershell.exe 1236 powershell.exe 1020 powershell.exe 420 powershell.exe 612 powershell.exe 3152 powershell.exe 1672 powershell.exe 1020 powershell.exe 4696 powershell.exe 1040 powershell.exe 204 powershell.exe 3152 powershell.exe 1672 powershell.exe 4696 powershell.exe 1040 powershell.exe 204 powershell.exe 892 taskhostw.exe 4680 taskhostw.exe 3936 taskhostw.exe 4748 taskhostw.exe 4432 taskhostw.exe 4056 taskhostw.exe 544 taskhostw.exe 2492 taskhostw.exe 2412 taskhostw.exe 416 taskhostw.exe 1712 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3884 DllCommonsvc.exe Token: SeDebugPrivilege 420 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 2032 taskhostw.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 3152 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 4696 powershell.exe Token: SeDebugPrivilege 204 powershell.exe Token: SeIncreaseQuotaPrivilege 1236 powershell.exe Token: SeSecurityPrivilege 1236 powershell.exe Token: SeTakeOwnershipPrivilege 1236 powershell.exe Token: SeLoadDriverPrivilege 1236 powershell.exe Token: SeSystemProfilePrivilege 1236 powershell.exe Token: SeSystemtimePrivilege 1236 powershell.exe Token: SeProfSingleProcessPrivilege 1236 powershell.exe Token: SeIncBasePriorityPrivilege 1236 powershell.exe Token: SeCreatePagefilePrivilege 1236 powershell.exe Token: SeBackupPrivilege 1236 powershell.exe Token: SeRestorePrivilege 1236 powershell.exe Token: SeShutdownPrivilege 1236 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeSystemEnvironmentPrivilege 1236 powershell.exe Token: SeRemoteShutdownPrivilege 1236 powershell.exe Token: SeUndockPrivilege 1236 powershell.exe Token: SeManageVolumePrivilege 1236 powershell.exe Token: 33 1236 powershell.exe Token: 34 1236 powershell.exe Token: 35 1236 powershell.exe Token: 36 1236 powershell.exe Token: SeIncreaseQuotaPrivilege 612 powershell.exe Token: SeSecurityPrivilege 612 powershell.exe Token: SeTakeOwnershipPrivilege 612 powershell.exe Token: SeLoadDriverPrivilege 612 powershell.exe Token: SeSystemProfilePrivilege 612 powershell.exe Token: SeSystemtimePrivilege 612 powershell.exe Token: SeProfSingleProcessPrivilege 612 powershell.exe Token: SeIncBasePriorityPrivilege 612 powershell.exe Token: SeCreatePagefilePrivilege 612 powershell.exe Token: SeBackupPrivilege 612 powershell.exe Token: SeRestorePrivilege 612 powershell.exe Token: SeShutdownPrivilege 612 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeSystemEnvironmentPrivilege 612 powershell.exe Token: SeRemoteShutdownPrivilege 612 powershell.exe Token: SeUndockPrivilege 612 powershell.exe Token: SeManageVolumePrivilege 612 powershell.exe Token: 33 612 powershell.exe Token: 34 612 powershell.exe Token: 35 612 powershell.exe Token: 36 612 powershell.exe Token: SeIncreaseQuotaPrivilege 420 powershell.exe Token: SeSecurityPrivilege 420 powershell.exe Token: SeTakeOwnershipPrivilege 420 powershell.exe Token: SeLoadDriverPrivilege 420 powershell.exe Token: SeSystemProfilePrivilege 420 powershell.exe Token: SeSystemtimePrivilege 420 powershell.exe Token: SeProfSingleProcessPrivilege 420 powershell.exe Token: SeIncBasePriorityPrivilege 420 powershell.exe Token: SeCreatePagefilePrivilege 420 powershell.exe Token: SeBackupPrivilege 420 powershell.exe Token: SeRestorePrivilege 420 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 4892 2716 e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe 66 PID 2716 wrote to memory of 4892 2716 e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe 66 PID 2716 wrote to memory of 4892 2716 e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe 66 PID 4892 wrote to memory of 2000 4892 WScript.exe 67 PID 4892 wrote to memory of 2000 4892 WScript.exe 67 PID 4892 wrote to memory of 2000 4892 WScript.exe 67 PID 2000 wrote to memory of 3884 2000 cmd.exe 69 PID 2000 wrote to memory of 3884 2000 cmd.exe 69 PID 3884 wrote to memory of 420 3884 DllCommonsvc.exe 95 PID 3884 wrote to memory of 420 3884 DllCommonsvc.exe 95 PID 3884 wrote to memory of 1020 3884 DllCommonsvc.exe 97 PID 3884 wrote to memory of 1020 3884 DllCommonsvc.exe 97 PID 3884 wrote to memory of 3152 3884 DllCommonsvc.exe 98 PID 3884 wrote to memory of 3152 3884 DllCommonsvc.exe 98 PID 3884 wrote to memory of 1236 3884 DllCommonsvc.exe 112 PID 3884 wrote to memory of 1236 3884 DllCommonsvc.exe 112 PID 3884 wrote to memory of 1672 3884 DllCommonsvc.exe 99 PID 3884 wrote to memory of 1672 3884 DllCommonsvc.exe 99 PID 3884 wrote to memory of 612 3884 DllCommonsvc.exe 110 PID 3884 wrote to memory of 612 3884 DllCommonsvc.exe 110 PID 3884 wrote to memory of 1040 3884 DllCommonsvc.exe 101 PID 3884 wrote to memory of 1040 3884 DllCommonsvc.exe 101 PID 3884 wrote to memory of 4696 3884 DllCommonsvc.exe 102 PID 3884 wrote to memory of 4696 3884 DllCommonsvc.exe 102 PID 3884 wrote to memory of 204 3884 DllCommonsvc.exe 103 PID 3884 wrote to memory of 204 3884 DllCommonsvc.exe 103 PID 3884 wrote to memory of 2032 3884 DllCommonsvc.exe 108 PID 3884 wrote to memory of 2032 3884 DllCommonsvc.exe 108 PID 2032 wrote to memory of 4136 2032 taskhostw.exe 115 PID 2032 wrote to memory of 4136 2032 taskhostw.exe 115 PID 4136 wrote to memory of 4688 4136 cmd.exe 117 PID 4136 wrote to memory of 4688 4136 cmd.exe 117 PID 4136 wrote to memory of 892 4136 cmd.exe 118 PID 4136 wrote to memory of 892 4136 cmd.exe 118 PID 892 wrote to memory of 2484 892 taskhostw.exe 119 PID 892 wrote to memory of 2484 892 taskhostw.exe 119 PID 2484 wrote to memory of 4488 2484 cmd.exe 121 PID 2484 wrote to memory of 4488 2484 cmd.exe 121 PID 2484 wrote to memory of 4680 2484 cmd.exe 122 PID 2484 wrote to memory of 4680 2484 cmd.exe 122 PID 4680 wrote to memory of 3468 4680 taskhostw.exe 123 PID 4680 wrote to memory of 3468 4680 taskhostw.exe 123 PID 3468 wrote to memory of 4336 3468 cmd.exe 125 PID 3468 wrote to memory of 4336 3468 cmd.exe 125 PID 3468 wrote to memory of 3936 3468 cmd.exe 126 PID 3468 wrote to memory of 3936 3468 cmd.exe 126 PID 3936 wrote to memory of 4620 3936 taskhostw.exe 127 PID 3936 wrote to memory of 4620 3936 taskhostw.exe 127 PID 4620 wrote to memory of 4756 4620 cmd.exe 129 PID 4620 wrote to memory of 4756 4620 cmd.exe 129 PID 4620 wrote to memory of 4748 4620 cmd.exe 130 PID 4620 wrote to memory of 4748 4620 cmd.exe 130 PID 4748 wrote to memory of 4628 4748 taskhostw.exe 131 PID 4748 wrote to memory of 4628 4748 taskhostw.exe 131 PID 4628 wrote to memory of 1652 4628 cmd.exe 133 PID 4628 wrote to memory of 1652 4628 cmd.exe 133 PID 4628 wrote to memory of 4432 4628 cmd.exe 134 PID 4628 wrote to memory of 4432 4628 cmd.exe 134 PID 4432 wrote to memory of 1280 4432 taskhostw.exe 135 PID 4432 wrote to memory of 1280 4432 taskhostw.exe 135 PID 1280 wrote to memory of 2288 1280 cmd.exe 137 PID 1280 wrote to memory of 2288 1280 cmd.exe 137 PID 1280 wrote to memory of 4056 1280 cmd.exe 138 PID 1280 wrote to memory of 4056 1280 cmd.exe 138
Processes
-
C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe"C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sppsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4688
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4488
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4336
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4756
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1652
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2288
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"18⤵PID:4908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4880
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"20⤵PID:4328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:196
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"22⤵PID:4804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2532
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"24⤵PID:4384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:208
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"26⤵PID:4972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4424
-
-
C:\providercommon\taskhostw.exe"C:\providercommon\taskhostw.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsass.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
1KB
MD55d2ad700286261222cc9343298f99b4d
SHA15b290376b1c52d97d94c954d334ed829e1cef6a2
SHA2565c2a4cd604f2804471f753e6b5307980f6b68262a881172745f7ab9a2c042cbc
SHA512450f26bac2760744a46bc00bafa68452d608a2cd12f8ee2223255418d6a1836451a2f51ba18459a266b9428df6b366f494f52816f014fa65b03471713a52b719
-
Filesize
1KB
MD50a74878fe94a1868c1b40c079e6ceb65
SHA17b6a6720371b1f125b9b0ce4f233cf3b60614c70
SHA2564122077a4f3b787451309955f566e65d5a80d4fa854fb27ea43cac4958ad1a3a
SHA512b1bd79519e07e07480e11d252efda340075e61aed87b386a2870190b6adf0864793ddedcc0d7058a9febc385d26136971317551b6bf3ba127f21b5491af824a1
-
Filesize
1KB
MD50a74878fe94a1868c1b40c079e6ceb65
SHA17b6a6720371b1f125b9b0ce4f233cf3b60614c70
SHA2564122077a4f3b787451309955f566e65d5a80d4fa854fb27ea43cac4958ad1a3a
SHA512b1bd79519e07e07480e11d252efda340075e61aed87b386a2870190b6adf0864793ddedcc0d7058a9febc385d26136971317551b6bf3ba127f21b5491af824a1
-
Filesize
1KB
MD57bf5e538e9f63f92f7028b22ee070ec6
SHA1348735543b366d60f02f537dafc581905b0e1c84
SHA2567f417088f56aed169c28627357f045cc3fae3b577134911568b6aeed616c8d73
SHA5127dc9f94399fbfd248a848b6bd56b5c01b89c4a04f3577513f8628a61e4094583b0a87320d7880b32075dc269e083dbea8ecdbe82048275386a9a7614c2f6860e
-
Filesize
1KB
MD56d83a51ad67952a34605b64663435970
SHA1645dd9fb8815018da4e90e5b77c70804246c6ed2
SHA256fcc18a90243feeafd5c4fdbbf9aadfb2da50d4b9cddcd046e207f2bbc61924bc
SHA5126eaaaddea896878b23f8e0ba07443263adcaacfbeff21dd7961429ec457a3f4e41d3139b573ff7a8eaccc3e42abf3639a85c85d91ef5893898b0efd56baacc6c
-
Filesize
1KB
MD539202069dabd1dd01042ee3936eaaa4b
SHA18b5cac8ca322ef1728b5738d5ecbc4a0e329ab1c
SHA256d874b4657b7fc5ab7719bc1680c98bee3bc8ed6be662e26080ad9420d98d1f75
SHA512b1bbc5995afd01ad4c85ebc42b0853b6ac00be79a43cba50fd1c964a3cba56c8f9cf3475f755e2d3e4dfe64fb306e9c7e061464270b44616e79580554d1387b5
-
Filesize
1KB
MD539202069dabd1dd01042ee3936eaaa4b
SHA18b5cac8ca322ef1728b5738d5ecbc4a0e329ab1c
SHA256d874b4657b7fc5ab7719bc1680c98bee3bc8ed6be662e26080ad9420d98d1f75
SHA512b1bbc5995afd01ad4c85ebc42b0853b6ac00be79a43cba50fd1c964a3cba56c8f9cf3475f755e2d3e4dfe64fb306e9c7e061464270b44616e79580554d1387b5
-
Filesize
196B
MD5875ab2cdcd50576a646c1600e4b5b50d
SHA1ce6bd8cb7618554cfca6d04857dc7e42e53e7a32
SHA256bc2b0613ee04a4af16651346d9e329894d20ec553880f3d67eeac63adba2107a
SHA5127b27c73b23e36cb7fd34f6f2d4245090ff32e2edec0b7240b99810dbafb27e7dc8daf856752675b300f8c62adc3be73042a493b16be11247aa5bb3593e3edc6d
-
Filesize
196B
MD566368f4141424a031c4a7186ecc91ff1
SHA1eec71aaea2f8f921ab930b72b18ba2b341117649
SHA2565d66a05c44686eafc884f1683acd6716a0258774aec6326b988d38d89ebeab7e
SHA51241cd5b2411864c643e082e81b731c541924144882cba5fb17ba22a053eedbffc3fa060e177369cfdd5b8277b6b0d2c2bbe9960b6673d53045f66ece9f12818f1
-
Filesize
196B
MD506f99ca2a76d10d32cec97bf6da84cee
SHA1d5d5eb72a17096831195ac33610c162b94368c1c
SHA256a57a20d51435fbe491e41103af41c1c57014a99a46d81ccb618dfac45168c344
SHA51294fadf548d0fac077709d1a51e2bfbf2228b7d3dae4c9670bd80c735924643aaaeaa7d6576d26305423a303db699183a35989dc5160772cef088303b3393593f
-
Filesize
196B
MD549cb6ca937cee7f315d6dfa17361a178
SHA1a37d2abec4b697d84331d7951839ecc030818dcb
SHA256b65cee04dc0e38021fc85502493710781c2dcf0a8b4a44dd1c81116f3cf6dcfb
SHA512f8bc892cff3db8dce149ff5869852583d0896398b3b156b1782082661e8c142b4c1ae1d625ba619f563058d55a1a13541c28881e6f9314b31315020b3d745283
-
Filesize
196B
MD58a305e8e1cfe88e911613e5ba1d6f840
SHA1537f7ff995efe142042272d1c7cbe73c09f6bc33
SHA256330a13130134e60a3277bf889edc91352489d1a5578ea6b9f92c829a5477ea75
SHA51269410c46c604cfc67b66df10f2b232e4d2a32a4e4be231580e4827becf9d0160e786b796974ebe9f5f27e401990a76bf8a38485e44de6480c69b7d16aeb34dca
-
Filesize
196B
MD51cebf1848c89417e87fe506c51504f3b
SHA1e64bc5958857038f9b5df99282ab5248eb7a1a01
SHA25694c97b752d71cd6a1400a5e0d36e6e8a4a1bcc563b247c4aca35aabd7bc3af83
SHA5123cff3d71a92f8f2d26097d6d34782948ae29ba9e6e4ae68aff456ac55dd27f233f61a299c80b4fce9ebc20b3f11c755a7b9dc85cbde8d73c743b9290c29d587d
-
Filesize
196B
MD587cd86e5145871bd2d7fd21d0f920eee
SHA118f81056df4de09b876809827e9a9ba16042f71e
SHA25694679c39e49d6a74c47672b739700e462c90c88399d83e5785afee10a0d5dfc1
SHA51257bc3f3c70ff2073c7b8a537ffd6ddb6a5dc08d13db066440d0b34b7270f3f7e2d18c5c070d76524ae5b69bb833a9052246f23f0d35ab14c12a12adb2405f880
-
Filesize
196B
MD587cd86e5145871bd2d7fd21d0f920eee
SHA118f81056df4de09b876809827e9a9ba16042f71e
SHA25694679c39e49d6a74c47672b739700e462c90c88399d83e5785afee10a0d5dfc1
SHA51257bc3f3c70ff2073c7b8a537ffd6ddb6a5dc08d13db066440d0b34b7270f3f7e2d18c5c070d76524ae5b69bb833a9052246f23f0d35ab14c12a12adb2405f880
-
Filesize
196B
MD53d6d8d2ea7345f8cab0a7670e601b63d
SHA1f3d5384d6df72f242f52334b48e60e88b6094f81
SHA256bb7c672e426f5fae6cdcfdd78aaa40abf99a3626b5921e50a9bc3db00182f716
SHA512f8b32e90207f1b0d03c4778a2ef0cfeb822ebb311026ea764b7352ad628fc81932e90ae2288f7e8db1bddf6349f187535dc4574352d80b981f747315a1edff6a
-
Filesize
196B
MD5da353769e1d27afce1da128f363bf006
SHA110651200d28b90adb54fc27ce1e01614d216da3d
SHA256dd5839a9fe8dc10a642915a1e4e1f593a135bbb599de954e6547909fa6ba5349
SHA512d46281b54f4a6bf9b9dd03f2f70aa3ec0f6c269936ade0706ab345c726573792b176745ce505c4f272063f9c76b52c4de8b47fe39dd1f8553e5b1d1c8533e393
-
Filesize
196B
MD58bd29cddce0c906d872bc3ffdb74fe67
SHA1daeca90dbc4ed563057e412d6f9153d7a27fb5a6
SHA256298963fdaa930bcdbd7f9e6da5d920a92e512763701dad2d97cbb00f7268a1d8
SHA51296cabf7253d961e14ecadbb2e6bf622c7f152decc9889de4bce6a1bc49d12b76b3dd7e859cdcbc0ea283ae8b9f4a2d64e71f625962f4c6c0d731e6d066a2457b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478