Analysis
-
max time kernel
158s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 03:19
Behavioral task
behavioral1
Sample
NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
-
Size
1.4MB
-
MD5
0e28ad7c051feab83c13d21b648a8d60
-
SHA1
ed5e0a9db6860af386c099452870856b649d2841
-
SHA256
8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
-
SHA512
68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 4540 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 4540 schtasks.exe 87 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe -
resource yara_rule behavioral2/memory/3440-0-0x00000000008B0000-0x0000000000A1C000-memory.dmp dcrat behavioral2/files/0x0007000000022e03-36.dat dcrat behavioral2/files/0x0007000000022e14-355.dat dcrat behavioral2/files/0x0007000000022e14-356.dat dcrat behavioral2/files/0x0007000000022e14-381.dat dcrat behavioral2/files/0x0007000000022e54-391.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation sihost.exe -
Executes dropped EXE 2 IoCs
pid Process 5352 sihost.exe 3368 sihost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\eddb19405b7ce1 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE941.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE942.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\tracing\backgroundTaskHost.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\tracing\eddb19405b7ce1 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\appcompat\Programs\taskhostw.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\appcompat\Programs\taskhostw.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File created C:\Windows\appcompat\Programs\ea9f0e6c9e2dcd NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\tracing\RCXE507.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\tracing\RCXE508.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\tracing\backgroundTaskHost.exe NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\appcompat\Programs\RCXEB56.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe File opened for modification C:\Windows\appcompat\Programs\RCXEB67.tmp NEAS.0e28ad7c051feab83c13d21b648a8d60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4752 schtasks.exe 1244 schtasks.exe 1000 schtasks.exe 1280 schtasks.exe 3096 schtasks.exe 4360 schtasks.exe 1320 schtasks.exe 1632 schtasks.exe 2556 schtasks.exe 3332 schtasks.exe 944 schtasks.exe 3484 schtasks.exe 4552 schtasks.exe 3148 schtasks.exe 2240 schtasks.exe 3996 schtasks.exe 3992 schtasks.exe 3408 schtasks.exe 4788 schtasks.exe 384 schtasks.exe 4940 schtasks.exe 4516 schtasks.exe 4476 schtasks.exe 4996 schtasks.exe 676 schtasks.exe 3316 schtasks.exe 1740 schtasks.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings NEAS.0e28ad7c051feab83c13d21b648a8d60.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 3996 powershell.exe 3996 powershell.exe 1552 powershell.exe 1552 powershell.exe 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 4880 powershell.exe 4880 powershell.exe 396 powershell.exe 396 powershell.exe 2596 powershell.exe 2596 powershell.exe 1460 powershell.exe 1460 powershell.exe 3484 powershell.exe 3484 powershell.exe 524 powershell.exe 524 powershell.exe 2180 powershell.exe 2180 powershell.exe 3400 powershell.exe 3400 powershell.exe 4996 powershell.exe 4996 powershell.exe 752 powershell.exe 752 powershell.exe 3996 powershell.exe 4880 powershell.exe 524 powershell.exe 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 3484 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 5352 sihost.exe Token: SeDebugPrivilege 3368 sihost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3440 wrote to memory of 1552 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 124 PID 3440 wrote to memory of 1552 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 124 PID 3440 wrote to memory of 4880 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 125 PID 3440 wrote to memory of 4880 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 125 PID 3440 wrote to memory of 4996 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 126 PID 3440 wrote to memory of 4996 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 126 PID 3440 wrote to memory of 524 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 127 PID 3440 wrote to memory of 524 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 127 PID 3440 wrote to memory of 3996 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 128 PID 3440 wrote to memory of 3996 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 128 PID 3440 wrote to memory of 2180 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 129 PID 3440 wrote to memory of 2180 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 129 PID 3440 wrote to memory of 2596 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 145 PID 3440 wrote to memory of 2596 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 145 PID 3440 wrote to memory of 396 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 143 PID 3440 wrote to memory of 396 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 143 PID 3440 wrote to memory of 1460 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 142 PID 3440 wrote to memory of 1460 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 142 PID 3440 wrote to memory of 3400 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 132 PID 3440 wrote to memory of 3400 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 132 PID 3440 wrote to memory of 3484 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 131 PID 3440 wrote to memory of 3484 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 131 PID 3440 wrote to memory of 752 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 130 PID 3440 wrote to memory of 752 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 130 PID 3440 wrote to memory of 4752 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 148 PID 3440 wrote to memory of 4752 3440 NEAS.0e28ad7c051feab83c13d21b648a8d60.exe 148 PID 4752 wrote to memory of 6084 4752 cmd.exe 151 PID 4752 wrote to memory of 6084 4752 cmd.exe 151 PID 4752 wrote to memory of 5352 4752 cmd.exe 153 PID 4752 wrote to memory of 5352 4752 cmd.exe 153 PID 5352 wrote to memory of 2596 5352 sihost.exe 160 PID 5352 wrote to memory of 2596 5352 sihost.exe 160 PID 5352 wrote to memory of 1740 5352 sihost.exe 161 PID 5352 wrote to memory of 1740 5352 sihost.exe 161 PID 2596 wrote to memory of 3368 2596 WScript.exe 165 PID 2596 wrote to memory of 3368 2596 WScript.exe 165 PID 3368 wrote to memory of 5780 3368 sihost.exe 166 PID 3368 wrote to memory of 5780 3368 sihost.exe 166 PID 3368 wrote to memory of 4456 3368 sihost.exe 167 PID 3368 wrote to memory of 4456 3368 sihost.exe 167 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.0e28ad7c051feab83c13d21b648a8d60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fc7N4hi3mv.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:6084
-
-
C:\Users\Admin\SendTo\sihost.exe"C:\Users\Admin\SendTo\sihost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f95379a0-7df4-4338-a6b1-eac709e1129f.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\SendTo\sihost.exeC:\Users\Admin\SendTo\sihost.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf555f34-dc56-430f-9bdf-9b836bfb9c85.vbs"6⤵PID:5780
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f3f8b9c-963e-4aba-be7c-ff74ae25a3b2.vbs"6⤵PID:4456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5297db2e-7162-4182-b6b3-533eefe8682b.vbs"4⤵PID:1740
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
944B
MD560804e808a88131a5452fed692914a8e
SHA1fdb74669923b31d573787fe024dbd701fa21bb5b
SHA256064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61
SHA512d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a
-
Filesize
944B
MD560804e808a88131a5452fed692914a8e
SHA1fdb74669923b31d573787fe024dbd701fa21bb5b
SHA256064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61
SHA512d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a
-
Filesize
944B
MD5377c375f814a335a131901ed5d5eca44
SHA19919811b18b4f8153541b332232ae88eec42f9f7
SHA2567a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10
SHA512c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5
-
Filesize
944B
MD5ae96ca6d5f605116d027b60ee601dbf8
SHA1227fd9141f215138fb1bf85391accfc97a691d47
SHA25630e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA51203a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374
-
Filesize
944B
MD5ae96ca6d5f605116d027b60ee601dbf8
SHA1227fd9141f215138fb1bf85391accfc97a691d47
SHA25630e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA51203a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374
-
Filesize
944B
MD5ae96ca6d5f605116d027b60ee601dbf8
SHA1227fd9141f215138fb1bf85391accfc97a691d47
SHA25630e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA51203a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374
-
Filesize
944B
MD5ae96ca6d5f605116d027b60ee601dbf8
SHA1227fd9141f215138fb1bf85391accfc97a691d47
SHA25630e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf
SHA51203a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374
-
Filesize
944B
MD560804e808a88131a5452fed692914a8e
SHA1fdb74669923b31d573787fe024dbd701fa21bb5b
SHA256064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61
SHA512d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a
-
Filesize
944B
MD5c2ce5f364d6f19da44a34ce23f13e28b
SHA1a7fc544cc9e62c759c0b0aeaecf324d7196a127e
SHA256443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb
SHA512fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6
-
Filesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
Filesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
484B
MD54bf89bb07d666d8672f1d91a7ad976c2
SHA1d0a64fef9c06d3ec7a4b7193382f7ac1361e4244
SHA25685f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134
SHA51210fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07
-
Filesize
484B
MD54bf89bb07d666d8672f1d91a7ad976c2
SHA1d0a64fef9c06d3ec7a4b7193382f7ac1361e4244
SHA25685f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134
SHA51210fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07
-
Filesize
484B
MD54bf89bb07d666d8672f1d91a7ad976c2
SHA1d0a64fef9c06d3ec7a4b7193382f7ac1361e4244
SHA25685f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134
SHA51210fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07
-
Filesize
197B
MD5e0a107d4ea3d8827855411fdcf4dbfc3
SHA163eb45dfee77fe6a36e104d334a67fd50e00c71c
SHA256f11de31a51c7359af43c5b1a84f8dc381426e6f9da8485b3b325ab24a6e28280
SHA512e8afc9baafe27d505d8b3a6a881d4dd5f5a90c1dd74c3af538287a0fbf55cba714969986e8260565495deb9ccf83e2c215678b2ce72013746fced16ea7123a0d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
708B
MD5846fb61165a9464fb7e0dc0a5ce0fced
SHA15b2a514345c1e3c0da12d639b0b3a9c123fa6883
SHA2567ec7ed10a399e90e050d7c229c2b6abaebc8a16441b9be088f3bf3a7fdd477ff
SHA512cd9feec6729d02e9deac256087872caba5c32ce9c7518bfb2761877b84972c39649ad44d037ab8b17453fe4a8d2963a5a8d51dcf69f2f70dc3525dbe67f00de8
-
Filesize
708B
MD519e510f875e0fde82eaaf54180eb6948
SHA107de5685ffbf644b9ff84e28cff07a36533bfc54
SHA2568f6f641a09462214d2cd6aa4897058abf3ac39b56cfbe6d037aa8005711ce351
SHA512cb4cb31958e2351e324a1ffface45bc4ea043a9ba42694b7391f51b78f1b26010bc688ae9be4f8e54a5b66e574a135a086561b9a9748d195f06802ee16a9774b
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda
-
Filesize
1.4MB
MD50e28ad7c051feab83c13d21b648a8d60
SHA1ed5e0a9db6860af386c099452870856b649d2841
SHA2568732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6
SHA51268031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda