Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2023, 01:52
Behavioral task
behavioral1
Sample
4d7463d7f489ec7de6ebea288af19270.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
4d7463d7f489ec7de6ebea288af19270.exe
Resource
win10v2004-20231020-en
General
-
Target
4d7463d7f489ec7de6ebea288af19270.exe
-
Size
1.4MB
-
MD5
4d7463d7f489ec7de6ebea288af19270
-
SHA1
3a350b9badebb0d9f31bf6472d6f5c69d246ef39
-
SHA256
bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
-
SHA512
1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
SSDEEP
24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 5060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 5060 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 4d7463d7f489ec7de6ebea288af19270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4d7463d7f489ec7de6ebea288af19270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4d7463d7f489ec7de6ebea288af19270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe -
resource yara_rule behavioral2/memory/4960-0-0x0000000000E60000-0x0000000000FCC000-memory.dmp dcrat behavioral2/files/0x0007000000022e32-36.dat dcrat behavioral2/files/0x0007000000022e2a-290.dat dcrat behavioral2/files/0x0007000000022e2a-289.dat dcrat behavioral2/files/0x0007000000022e2a-388.dat dcrat behavioral2/files/0x000c000000022e4d-399.dat dcrat behavioral2/files/0x0007000000022e2a-417.dat dcrat behavioral2/files/0x000c000000022e4d-425.dat dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation 4d7463d7f489ec7de6ebea288af19270.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation wininit.exe -
Executes dropped EXE 3 IoCs
pid Process 5508 wininit.exe 260 wininit.exe 4732 wininit.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4d7463d7f489ec7de6ebea288af19270.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4d7463d7f489ec7de6ebea288af19270.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\de-DE\RCXA9FF.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\RCXB0DB.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\22eafd247d37c3 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files\Windows Defender\de-DE\wininit.exe 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\eddb19405b7ce1 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\RCXB0EC.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB300.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files\Windows Defender\de-DE\RCXAA10.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB311.tmp 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Program Files\Windows Defender\de-DE\wininit.exe 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Program Files\Windows Defender\de-DE\56085415360792 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe 4d7463d7f489ec7de6ebea288af19270.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\5b884080fd4f94 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Windows\addins\RCXA7DC.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\RCXAE49.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\RCXAE5A.tmp 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Windows\addins\sihost.exe 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Windows\addins\sihost.exe 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Windows\addins\66fc9ff0ee96c2 4d7463d7f489ec7de6ebea288af19270.exe File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Windows\addins\RCXA7DB.tmp 4d7463d7f489ec7de6ebea288af19270.exe File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe 4d7463d7f489ec7de6ebea288af19270.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4904 schtasks.exe 1440 schtasks.exe 1108 schtasks.exe 3836 schtasks.exe 2544 schtasks.exe 4136 schtasks.exe 3872 schtasks.exe 4836 schtasks.exe 1676 schtasks.exe 3728 schtasks.exe 676 schtasks.exe 648 schtasks.exe 2324 schtasks.exe 4696 schtasks.exe 3796 schtasks.exe 3968 schtasks.exe 3544 schtasks.exe 1236 schtasks.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 4d7463d7f489ec7de6ebea288af19270.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings wininit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 3532 powershell.exe 3532 powershell.exe 3924 powershell.exe 3924 powershell.exe 4668 powershell.exe 4668 powershell.exe 1612 powershell.exe 1612 powershell.exe 4556 powershell.exe 4556 powershell.exe 5028 powershell.exe 5028 powershell.exe 3036 powershell.exe 3036 powershell.exe 1796 powershell.exe 1796 powershell.exe 1048 powershell.exe 1048 powershell.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 3328 powershell.exe 3328 powershell.exe 3756 powershell.exe 3756 powershell.exe 8 powershell.exe 8 powershell.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 4960 4d7463d7f489ec7de6ebea288af19270.exe 3532 powershell.exe 3924 powershell.exe 4556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4960 4d7463d7f489ec7de6ebea288af19270.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 3328 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 5508 wininit.exe Token: SeDebugPrivilege 260 wininit.exe Token: SeDebugPrivilege 4732 wininit.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4960 wrote to memory of 8 4960 4d7463d7f489ec7de6ebea288af19270.exe 113 PID 4960 wrote to memory of 8 4960 4d7463d7f489ec7de6ebea288af19270.exe 113 PID 4960 wrote to memory of 4556 4960 4d7463d7f489ec7de6ebea288af19270.exe 114 PID 4960 wrote to memory of 4556 4960 4d7463d7f489ec7de6ebea288af19270.exe 114 PID 4960 wrote to memory of 5028 4960 4d7463d7f489ec7de6ebea288af19270.exe 115 PID 4960 wrote to memory of 5028 4960 4d7463d7f489ec7de6ebea288af19270.exe 115 PID 4960 wrote to memory of 1048 4960 4d7463d7f489ec7de6ebea288af19270.exe 135 PID 4960 wrote to memory of 1048 4960 4d7463d7f489ec7de6ebea288af19270.exe 135 PID 4960 wrote to memory of 3756 4960 4d7463d7f489ec7de6ebea288af19270.exe 134 PID 4960 wrote to memory of 3756 4960 4d7463d7f489ec7de6ebea288af19270.exe 134 PID 4960 wrote to memory of 3036 4960 4d7463d7f489ec7de6ebea288af19270.exe 133 PID 4960 wrote to memory of 3036 4960 4d7463d7f489ec7de6ebea288af19270.exe 133 PID 4960 wrote to memory of 3532 4960 4d7463d7f489ec7de6ebea288af19270.exe 132 PID 4960 wrote to memory of 3532 4960 4d7463d7f489ec7de6ebea288af19270.exe 132 PID 4960 wrote to memory of 1612 4960 4d7463d7f489ec7de6ebea288af19270.exe 131 PID 4960 wrote to memory of 1612 4960 4d7463d7f489ec7de6ebea288af19270.exe 131 PID 4960 wrote to memory of 1796 4960 4d7463d7f489ec7de6ebea288af19270.exe 130 PID 4960 wrote to memory of 1796 4960 4d7463d7f489ec7de6ebea288af19270.exe 130 PID 4960 wrote to memory of 4668 4960 4d7463d7f489ec7de6ebea288af19270.exe 129 PID 4960 wrote to memory of 4668 4960 4d7463d7f489ec7de6ebea288af19270.exe 129 PID 4960 wrote to memory of 3328 4960 4d7463d7f489ec7de6ebea288af19270.exe 128 PID 4960 wrote to memory of 3328 4960 4d7463d7f489ec7de6ebea288af19270.exe 128 PID 4960 wrote to memory of 3924 4960 4d7463d7f489ec7de6ebea288af19270.exe 127 PID 4960 wrote to memory of 3924 4960 4d7463d7f489ec7de6ebea288af19270.exe 127 PID 4960 wrote to memory of 5508 4960 4d7463d7f489ec7de6ebea288af19270.exe 138 PID 4960 wrote to memory of 5508 4960 4d7463d7f489ec7de6ebea288af19270.exe 138 PID 5508 wrote to memory of 5280 5508 wininit.exe 141 PID 5508 wrote to memory of 5280 5508 wininit.exe 141 PID 5508 wrote to memory of 5352 5508 wininit.exe 142 PID 5508 wrote to memory of 5352 5508 wininit.exe 142 PID 5280 wrote to memory of 260 5280 WScript.exe 145 PID 5280 wrote to memory of 260 5280 WScript.exe 145 PID 260 wrote to memory of 2372 260 wininit.exe 146 PID 260 wrote to memory of 2372 260 wininit.exe 146 PID 260 wrote to memory of 5488 260 wininit.exe 147 PID 260 wrote to memory of 5488 260 wininit.exe 147 PID 2372 wrote to memory of 4732 2372 WScript.exe 157 PID 2372 wrote to memory of 4732 2372 WScript.exe 157 PID 4732 wrote to memory of 3352 4732 wininit.exe 158 PID 4732 wrote to memory of 3352 4732 wininit.exe 158 PID 4732 wrote to memory of 2232 4732 wininit.exe 159 PID 4732 wrote to memory of 2232 4732 wininit.exe 159 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4d7463d7f489ec7de6ebea288af19270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 4d7463d7f489ec7de6ebea288af19270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4d7463d7f489ec7de6ebea288af19270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe"C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Program Files\Windows Defender\de-DE\wininit.exe"C:\Program Files\Windows Defender\de-DE\wininit.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f59dd7-6169-4f69-ab51-594b56de6c90.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Program Files\Windows Defender\de-DE\wininit.exe"C:\Program Files\Windows Defender\de-DE\wininit.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:260 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa66a7cb-65d8-40cf-bb40-fa150af96a5d.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files\Windows Defender\de-DE\wininit.exe"C:\Program Files\Windows Defender\de-DE\wininit.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4732 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9569fd1d-c2f0-4ba0-8992-74693b793316.vbs"7⤵PID:3352
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac686863-9ccc-4589-95bb-f22e8fffe1d9.vbs"7⤵PID:2232
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c53138e1-5f69-4375-8358-2d4ac4715a7f.vbs"5⤵PID:5488
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4cd69a9-5812-452d-94aa-8ab1c37c6641.vbs"3⤵PID:5352
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD54d7463d7f489ec7de6ebea288af19270
SHA13a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA5121dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
Filesize
1.4MB
MD54d7463d7f489ec7de6ebea288af19270
SHA13a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA5121dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
Filesize
1.4MB
MD54d7463d7f489ec7de6ebea288af19270
SHA13a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA5121dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
Filesize
1.4MB
MD54d7463d7f489ec7de6ebea288af19270
SHA13a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA5121dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
Filesize
1.4MB
MD54d7463d7f489ec7de6ebea288af19270
SHA13a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA5121dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD59b0256da3bf9a5303141361b3da59823
SHA1d73f34951777136c444eb2c98394f62912ebcdac
SHA25696cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA5129f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
944B
MD5101c3b86ef1c02c62b7d862c2a47363b
SHA13c5e8d309610e5ba41b6b9788bfb826e45864b46
SHA2569174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c
SHA512d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60
-
Filesize
944B
MD5101c3b86ef1c02c62b7d862c2a47363b
SHA13c5e8d309610e5ba41b6b9788bfb826e45864b46
SHA2569174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c
SHA512d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60
-
Filesize
944B
MD5d6536c16bcf5366ce342a8acf882fa54
SHA13cdbc184d2d5b7390741c131e37470f43c06fb50
SHA2569feb7f3f57d6121d1afd6701d5661a62b8cd793ce61bbd8e8057e481e159a3de
SHA51227a193f45e9ae767767ad2108d05aa7ea6ed13b321e36966cccc2603052a4921f8b2250e381b544550d0bbcf3edd7401d261b13b1c49e9192d9cd2fae9b04808
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
Filesize
944B
MD59611cc3fb39fedd4b0e81d90b044531c
SHA1e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA2562090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA51292cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d
-
Filesize
944B
MD59611cc3fb39fedd4b0e81d90b044531c
SHA1e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA2562090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA51292cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d
-
Filesize
944B
MD59611cc3fb39fedd4b0e81d90b044531c
SHA1e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA2562090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA51292cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d
-
Filesize
944B
MD59611cc3fb39fedd4b0e81d90b044531c
SHA1e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA2562090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA51292cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d
-
Filesize
727B
MD5e9d3189dd9b2c8851a0cbd9fdf41f8be
SHA11f143a7e1722b97c73bafa3dcf25b0ffc8cb7100
SHA256cb1d310b730b3c837071ffb0e3562acc7f8c9d4202bc376a15813a02ed899ba1
SHA512733c6957ed04218f58a5068ef4d2bf1415cbadf53b8f0e8825dec02909b869c6487289f84c1c3ce49034a2cd334c62f82fb888da4ffd2b389e674d358bc1cbd8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
726B
MD5d401d2959f55f79492d360e59e242db1
SHA1e6256ce183b6b1f510810ee41eff0fa095a73440
SHA25633817e9fbb2b5209270ea07401c41685cd939a006471f7b3926b0cd05c563b58
SHA512b9ad583fe3212ab8c0259494887afa20f0de716da39108da87de47bc78bfcae05fa2f486b849d9da627ab35d01c0e981228a934679de6bf299acb1cfb4a694ba
-
Filesize
1.4MB
MD54d7463d7f489ec7de6ebea288af19270
SHA13a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA5121dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
Filesize
1.4MB
MD54d7463d7f489ec7de6ebea288af19270
SHA13a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA5121dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4
-
Filesize
503B
MD5c102e36fa34d16b1f27b0ac168f08a06
SHA1ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6
-
Filesize
503B
MD5c102e36fa34d16b1f27b0ac168f08a06
SHA1ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6
-
Filesize
503B
MD5c102e36fa34d16b1f27b0ac168f08a06
SHA1ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6
-
Filesize
503B
MD5c102e36fa34d16b1f27b0ac168f08a06
SHA1ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6
-
Filesize
727B
MD57e8902373b0c660cf40ec7bcc10cdb55
SHA1333d210325e3610c6075419ccdf683c7a3f279b0
SHA256be60f1eb8f02c9a387551a7415978136ef6ec5cfefc77aa77b77c92ea0310504
SHA512eb52e00854232eb3df5c28d76184dee692e3f4f20f011d24cf8956d4a307f9af9d73ac25417d52137a23ac45fd7c885c311f7fb322007d8461418243cc0120d0