Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 14:48
Behavioral task
behavioral1
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win10v2004-20240226-en
General
-
Target
1994f3ef2118aeecbb74e6c8976fd47b.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2412 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2412 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe -
resource yara_rule behavioral1/memory/2120-0-0x00000000012F0000-0x0000000001620000-memory.dmp dcrat behavioral1/files/0x0006000000017090-43.dat dcrat behavioral1/files/0x0006000000016d84-51.dat dcrat behavioral1/memory/2800-53-0x0000000000140000-0x0000000000470000-memory.dmp dcrat behavioral1/files/0x0006000000016d84-66.dat dcrat behavioral1/memory/1044-67-0x00000000009B0000-0x0000000000CE0000-memory.dmp dcrat behavioral1/memory/1044-69-0x000000001AF40000-0x000000001AFC0000-memory.dmp dcrat behavioral1/files/0x0006000000016d84-82.dat dcrat behavioral1/memory/1688-84-0x0000000000CB0000-0x0000000000FE0000-memory.dmp dcrat behavioral1/memory/1688-85-0x000000001B470000-0x000000001B4F0000-memory.dmp dcrat behavioral1/files/0x0006000000016d84-97.dat dcrat behavioral1/memory/2256-99-0x00000000000F0000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/2256-100-0x000000001B120000-0x000000001B1A0000-memory.dmp dcrat behavioral1/files/0x0008000000018ae8-106.dat dcrat behavioral1/memory/2320-116-0x0000000001090000-0x00000000013C0000-memory.dmp dcrat behavioral1/memory/2320-117-0x000000001B350000-0x000000001B3D0000-memory.dmp dcrat behavioral1/files/0x0006000000016d84-146.dat dcrat -
Executes dropped EXE 9 IoCs
pid Process 2800 csrss.exe 1044 csrss.exe 1688 csrss.exe 2256 csrss.exe 2320 csrss.exe 2372 csrss.exe 2960 csrss.exe 2632 csrss.exe 996 csrss.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1994f3ef2118aeecbb74e6c8976fd47b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\CSC\v2.0.6\dllhost.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2164 schtasks.exe 1144 schtasks.exe 2808 schtasks.exe 2972 schtasks.exe 2484 schtasks.exe 2392 schtasks.exe 2592 schtasks.exe 672 schtasks.exe 2400 schtasks.exe 2512 schtasks.exe 2968 schtasks.exe 524 schtasks.exe 2856 schtasks.exe 2108 schtasks.exe 2744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 2800 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1044 csrss.exe 1688 csrss.exe 1688 csrss.exe 1688 csrss.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe Token: SeDebugPrivilege 2800 csrss.exe Token: SeDebugPrivilege 1044 csrss.exe Token: SeDebugPrivilege 1688 csrss.exe Token: SeDebugPrivilege 2256 csrss.exe Token: SeDebugPrivilege 2320 csrss.exe Token: SeDebugPrivilege 2372 csrss.exe Token: SeDebugPrivilege 2960 csrss.exe Token: SeDebugPrivilege 2632 csrss.exe Token: SeDebugPrivilege 996 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2772 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 44 PID 2120 wrote to memory of 2772 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 44 PID 2120 wrote to memory of 2772 2120 1994f3ef2118aeecbb74e6c8976fd47b.exe 44 PID 2772 wrote to memory of 804 2772 cmd.exe 46 PID 2772 wrote to memory of 804 2772 cmd.exe 46 PID 2772 wrote to memory of 804 2772 cmd.exe 46 PID 2772 wrote to memory of 2800 2772 cmd.exe 47 PID 2772 wrote to memory of 2800 2772 cmd.exe 47 PID 2772 wrote to memory of 2800 2772 cmd.exe 47 PID 2800 wrote to memory of 2900 2800 csrss.exe 48 PID 2800 wrote to memory of 2900 2800 csrss.exe 48 PID 2800 wrote to memory of 2900 2800 csrss.exe 48 PID 2800 wrote to memory of 2116 2800 csrss.exe 49 PID 2800 wrote to memory of 2116 2800 csrss.exe 49 PID 2800 wrote to memory of 2116 2800 csrss.exe 49 PID 2900 wrote to memory of 1044 2900 WScript.exe 50 PID 2900 wrote to memory of 1044 2900 WScript.exe 50 PID 2900 wrote to memory of 1044 2900 WScript.exe 50 PID 1044 wrote to memory of 1976 1044 csrss.exe 51 PID 1044 wrote to memory of 1976 1044 csrss.exe 51 PID 1044 wrote to memory of 1976 1044 csrss.exe 51 PID 1044 wrote to memory of 2880 1044 csrss.exe 52 PID 1044 wrote to memory of 2880 1044 csrss.exe 52 PID 1044 wrote to memory of 2880 1044 csrss.exe 52 PID 1976 wrote to memory of 1688 1976 WScript.exe 53 PID 1976 wrote to memory of 1688 1976 WScript.exe 53 PID 1976 wrote to memory of 1688 1976 WScript.exe 53 PID 1688 wrote to memory of 2964 1688 csrss.exe 56 PID 1688 wrote to memory of 2964 1688 csrss.exe 56 PID 1688 wrote to memory of 2964 1688 csrss.exe 56 PID 1688 wrote to memory of 736 1688 csrss.exe 57 PID 1688 wrote to memory of 736 1688 csrss.exe 57 PID 1688 wrote to memory of 736 1688 csrss.exe 57 PID 2964 wrote to memory of 2256 2964 WScript.exe 58 PID 2964 wrote to memory of 2256 2964 WScript.exe 58 PID 2964 wrote to memory of 2256 2964 WScript.exe 58 PID 2256 wrote to memory of 2656 2256 csrss.exe 59 PID 2256 wrote to memory of 2656 2256 csrss.exe 59 PID 2256 wrote to memory of 2656 2256 csrss.exe 59 PID 2256 wrote to memory of 2132 2256 csrss.exe 60 PID 2256 wrote to memory of 2132 2256 csrss.exe 60 PID 2256 wrote to memory of 2132 2256 csrss.exe 60 PID 2656 wrote to memory of 2320 2656 WScript.exe 61 PID 2656 wrote to memory of 2320 2656 WScript.exe 61 PID 2656 wrote to memory of 2320 2656 WScript.exe 61 PID 2320 wrote to memory of 1036 2320 csrss.exe 62 PID 2320 wrote to memory of 1036 2320 csrss.exe 62 PID 2320 wrote to memory of 1036 2320 csrss.exe 62 PID 2320 wrote to memory of 456 2320 csrss.exe 63 PID 2320 wrote to memory of 456 2320 csrss.exe 63 PID 2320 wrote to memory of 456 2320 csrss.exe 63 PID 1036 wrote to memory of 2372 1036 WScript.exe 64 PID 1036 wrote to memory of 2372 1036 WScript.exe 64 PID 1036 wrote to memory of 2372 1036 WScript.exe 64 PID 2372 wrote to memory of 2724 2372 csrss.exe 65 PID 2372 wrote to memory of 2724 2372 csrss.exe 65 PID 2372 wrote to memory of 2724 2372 csrss.exe 65 PID 2372 wrote to memory of 2436 2372 csrss.exe 66 PID 2372 wrote to memory of 2436 2372 csrss.exe 66 PID 2372 wrote to memory of 2436 2372 csrss.exe 66 PID 2724 wrote to memory of 2960 2724 WScript.exe 67 PID 2724 wrote to memory of 2960 2724 WScript.exe 67 PID 2724 wrote to memory of 2960 2724 WScript.exe 67 PID 2960 wrote to memory of 2260 2960 csrss.exe 68 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m5CkcR6d4r.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:804
-
-
C:\Users\Public\Music\csrss.exe"C:\Users\Public\Music\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f7b6709-ed26-4a1c-82fb-31a4d65289cd.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f93f14-0adf-4493-91f4-352bef19b4fb.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bd31eb5-9fa2-4257-9bc5-a43ac41aa03d.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46503802-e186-47cb-b1ef-d2b7be6c7a60.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a027564c-375f-47d9-8b00-9f9c930d55ae.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2372 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a856c6-2426-45fb-a758-2d17efdc7c79.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0171763c-71c2-4e3c-8c68-093b64761c5f.vbs"16⤵PID:2260
-
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80e37603-dece-4592-a79d-475ca6a1ae73.vbs"18⤵PID:2908
-
C:\Users\Public\Music\csrss.exeC:\Users\Public\Music\csrss.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23991465-76a0-4f90-82fe-d5aa0fb580a7.vbs"20⤵PID:744
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e766a6-9da2-4f8b-abcf-8d2e1fc4092d.vbs"20⤵PID:2012
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2792d07b-8e07-4cbe-bce6-91338e48614f.vbs"18⤵PID:1968
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac781cb-cd6e-495a-a362-6483b6795880.vbs"16⤵PID:2648
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ad29b9-73a0-4134-9736-caa93061f2f8.vbs"14⤵PID:2436
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e4f1e69-41b0-4020-ab97-312ff552da46.vbs"12⤵PID:456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73302e4f-4598-4b6f-afd2-37618fcf315f.vbs"10⤵PID:2132
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01e17cf7-0f94-448a-98f0-ea331aace60f.vbs"8⤵PID:736
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d56f833e-79da-4031-8d9b-47913df4d2c5.vbs"6⤵PID:2880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaf1188b-9d65-4488-a04a-28dbf6e1dd92.vbs"4⤵PID:2116
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD55d977af1de7ac5402715dddff81a12a2
SHA1fdfc50ac5ce39020ed56fdb4e5672fda15c1b91d
SHA2563d898781eaca52631a9d69d2b89aeaf635c80a7dc5bbefb73f33ce8807225cdf
SHA512cf3cfab3392d8f3c8bd99d56046463d5e39420c81e5c5a757de39368625e98a115ef0e37717a7ce1b4935f7c3683e5ac3c2c2e5a45ea6d5b52328d31a0910fdc
-
Filesize
707B
MD569b47ad32b17a5aa3f8cbf97a783f793
SHA1e9c9a241db674722f3fce428c363a4fef410ff67
SHA256d383ea5769393921e31a79e7ce62d867936e28bd7d65f3ae994e877fef85ff41
SHA512e21e41a7e68f3aa1dc9e4eb515486fbe456a3fae5c04b233737140fb4b214547ed7893bf5fb82c5e2ede47b0ce0848269b3dceb331b3be1ea869e27a34fab1f6
-
Filesize
707B
MD5623875a708dcf5c24ed8fd9c58684441
SHA126248abf0c60d2f05089599ea8f5b3e15b3578c4
SHA256544a80a97015e77ec4d5881ff5bb960724c40779e13c91b7e69b2edb5220bcaa
SHA5126500d9a9b0d36f95742a4cd3d5c296aa324ee7c1e2c8964760350d4a066816b7e3e1cc85c46b654f77a01bfd6c0b65ebb3d9e8354b94a2e15f6b5d720ace03ea
-
Filesize
706B
MD5360c1ebda4c34c06a42a9aa66954e23d
SHA1e18ef1ad5e07c502939849aa7fb023b0028a53d9
SHA256bd117e88922596178bd06dbfcc1a4cc66057241cbc49aa7c213a05a39298fb5b
SHA512e4faa57ed974f0bc685f531765793cf87931b3bd2fe787d2959f549a63f1ac1f2ec6b4c7b258f47993ece4be24efcb082eddab72429e822519f41fc9f4e10e34
-
Filesize
707B
MD52a10cdc0b10eaeeb3502e3e730007357
SHA173e930897e56fd3eb5ea961720e7851a1dc8f267
SHA256e986806f15dbaeebed827e8e9d7d79ad764361e9054e65f1f4116bfcce537c5a
SHA512822658a479851ff2b5b61cf0357dbe5684f04b197e987d58caa3a9865a53770d1780b936b955a912225340c512aea6f06cdd8a482bfd718cc103406c07e4a4ea
-
Filesize
1.1MB
MD548051776708f84a234f036308f2d5192
SHA16a716f8fbc5d7e03af0c31ccfb994394cf03f3ec
SHA25685ed7fc997cd5b4d8c71e7ec57f2dbfba233ae06f697bbd89da7d9a8710928fc
SHA51217f097d9db5aa390552f1635e06c7149f49d9dc0a01177a407c4125e7c0613d281a5572e27a51374c4d76bcf1645875b1e8fba49f3ec3e585fd9b9bf2c2be2da
-
Filesize
707B
MD5252c61d41fa398c095873e09756ba283
SHA183826fe5e96e4efddc9692a21c114ee945b30068
SHA2564b7b601e1db568b8bbca0d961187e37be34094335f7ccb199de9edb0cf12c17c
SHA512571b2d7d73ca7986c1109cfd845604035ee170ca90404b5aea5f1ee9b48e5f082d4f51cfbfa4e4ba7d42d670de8c75c69d004b8688075887d10b4fce59b3b507
-
Filesize
707B
MD5a21ea52236846f21a9b6e74fa734273c
SHA1fbc01a5eea85183d0d364b3183fe27f0a623ec65
SHA2567104d42f6340760c8f4fd9fd6c9cfa95c7fcea42e0b0afbf9d288e84fbf230b7
SHA512e79684ea4c0863c4a9a0eca363ea4f1613feaa894cc9c56c575cd2db55faaa047109651d2dcf291e86c487857ff07c36d74d4ce3178e04c2d3d258899f65febb
-
Filesize
707B
MD5e55465e1f5470fa61a104860cd89cc75
SHA1f15aa444e529c3df491fea67e29427acd4ce30c0
SHA25659c4ddb711a3a7af2511b6514b2af8366b5dec07b8822cc74032bee913ff6938
SHA5129305dcd66fb029920338a0d3fb1cb48178d2d39a7b3f79c0f1ddaeb7b033465b6b88a2a30964bee98ba94a236f6d5bb07949748a6fa5fd9785f29720fc4e4309
-
Filesize
707B
MD5d221fe1e201163ddab222a64cbb41c6d
SHA107f9e9cabd4261e8ac397aa88b04500efcb8229a
SHA2563fe736fde458ca914507633c3915889da9c1c48e8454f690f91c5254754331fb
SHA512653802b8148583be20ccc8bd23e737bf5a0f03df640862452672cf0b6b5272e2c60c9627e8b762051b4b96e88aae81dc157082a53ab74d220477bc73a6c11e43
-
Filesize
707B
MD540deae23d3a781cb3a37dfa5cb77cc4f
SHA1247bb1e999fc29cd7b3e87b8ce468bc269ca8e69
SHA256e6ae65cfe41b3484441edfb26e103f22b6fa811776e3212f1519df5c526fc82a
SHA51279b731a0a81cad04caa924e3a523c9e08c846688d9b746d8e9f52dff453a6f609a69787135d5819f9ca9d1abc706d3afad441a9be6b1a710dd5739f14823d1ee
-
Filesize
483B
MD5fe7b711db3375c6e3eed72e9f3ca29be
SHA1838103eddd28d21e63bc3223e5336c94b5033d18
SHA256811349c704937e7c61d8d5e65f317bfbdddca076e7d2af53892842f5835d3a93
SHA51227d693c92815adf074c863a077d76627d49b0e800f050e754c7af1d65fa806d05f02536cde17b49deeaaf07578b626225aa0ba94ed04daad5c124b0ccc72a308
-
Filesize
196B
MD59fce52b43bcdf310b33d5436bb5d8254
SHA19934249c831584580ff07726c741ccd289fe9137
SHA256b9af96e59f43bb912485ed1ce79ac44ffaeb8d29398e29b0c8cac91d828dd835
SHA5123e1e940c964745c1c034245d3f0e8be6f79734f9831c215cea2b70e6c474119208a1618d32428ed0215cb57fcb9142b75242a493b160625a83308fd2abb6133d
-
Filesize
2.5MB
MD5bddd5acbddb8b9715cb56d46233233e7
SHA194ffc545aaf1016278c404e8bec4185139c521c5
SHA2563d7bc27bf8322a5eecf47af5457c346cbb4a8d7e141c0805f49aab1db2aee0dc
SHA5120b568545a946f30c7186d7958acfe4da7ed58f151d3ba457aadc1db0bcb9452201f25f1f56cfae9895f2e27ed2cfb92a0178e841928dfb7e715a3ce33c95c86c
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
Filesize
1.3MB
MD55ebd26f7b539d06ee26e4335bdad1bac
SHA1f8013bd49ea6c345395c56f4c373e39fe5b1d2eb
SHA2567314a4df55312d5b2952c66fdc0ba36c2f5b1dbb3ad88f1dd2ba283c8400696b
SHA512c343fb3b8c82967042a407d684cdb5968d80446e96d1fdfe9c4e33ca727a26281a2e7cae05a997f4983ecf61e3aec41252b544ef827592d556c4a5ffe76e8e73
-
Filesize
2.1MB
MD5ac56c130b3cd505aa904cb664c9e02c2
SHA1827416a2efd8ffc642c68c590def694f371ab7a5
SHA25611727dce2e76fddb955ceff8a25e9ac33b1cb561ebfe03ef4fb3eff3668e0d78
SHA5122966efd688cb2870659cabbf5b6e9e89c0d4fee032a68e9f7d5c6ca662e03d6e92a40a484824ac69a66a8a198955218c8d93cdeb65536b2ce51a3601595b497e
-
Filesize
960KB
MD5fc95f901144b526106036caf9f1d1ded
SHA12ea1694dfd32b9cee3ef3adfe9516d4cc3a3c187
SHA256bba41fcf986afd98eb026246769343704af4bea6628c48920458d93b7fd8d1b3
SHA512d5595d34c0f3935c99d4db44fe9757ff6e08505fd3c684732490249471282ba89ce2038dde4226fb4b99af28f1da63601f950e8a75a1564329979097c272dfcf