Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 09:00
Static task
static1
Behavioral task
behavioral1
Sample
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe
Resource
win10v2004-20241007-en
General
-
Target
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe
-
Size
1.8MB
-
MD5
ad09440875d20aadffdfdc8de043c448
-
SHA1
fbfc7d94285b1da7e0799382a40352f827984771
-
SHA256
5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508
-
SHA512
e8d80aa2ec81b8b06b2a83e18674e19137b996f405dc4e6c93a3fcf76de0e949cbc333396a22141963043fd55ff9a8711eabd0963b933df58e4438f42706e8a3
-
SSDEEP
24576:zyvTg4STbYSG65XZsTBsR36Y1864kHFLlb/sgaspAqsbTsIvVJUl52iFxA4Gbgz:W6hdR3KlyFLlbsrs6PbTJU24GbQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Users\\All Users\\Application Data\\spoolsv.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\sppsvc.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Users\\All Users\\Application Data\\spoolsv.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Users\\All Users\\Application Data\\spoolsv.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\services.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Users\\All Users\\Application Data\\spoolsv.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\audiodg.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2600 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2600 schtasks.exe 30 -
Executes dropped EXE 10 IoCs
pid Process 1156 services.exe 1552 services.exe 1756 services.exe 2796 services.exe 272 services.exe 2912 services.exe 1260 services.exe 1620 services.exe 600 services.exe 2860 services.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\services.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\audiodg.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Application Data\\spoolsv.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\services.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Application Data\\spoolsv.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\audiodg.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Portable Devices\\services.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Portable Devices\\services.exe\"" 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC1175C02539E049A5A5E5181F551552D.TMP csc.exe File created \??\c:\Windows\System32\1woi1z.exe csc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\Windows NT\TableTextService\ja-JP\audiodg.exe 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe File created C:\Program Files\Windows NT\TableTextService\ja-JP\42af1c969fbb7b 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe File created C:\Program Files\Windows Portable Devices\services.exe 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe File created C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe File created C:\Program Files\Windows NT\TableTextService\ja-JP\audiodg.exe 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 572 PING.EXE 1244 PING.EXE 1608 PING.EXE 2800 PING.EXE 2400 PING.EXE 1980 PING.EXE 820 PING.EXE -
Runs ping.exe 1 TTPs 7 IoCs
pid Process 1244 PING.EXE 1608 PING.EXE 2800 PING.EXE 2400 PING.EXE 1980 PING.EXE 820 PING.EXE 572 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1340 schtasks.exe 2020 schtasks.exe 1848 schtasks.exe 2752 schtasks.exe 2144 schtasks.exe 2592 schtasks.exe 2560 schtasks.exe 2548 schtasks.exe 2084 schtasks.exe 608 schtasks.exe 1628 schtasks.exe 2536 schtasks.exe 2896 schtasks.exe 2160 schtasks.exe 2844 schtasks.exe 1132 schtasks.exe 2868 schtasks.exe 908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 1156 services.exe 1156 services.exe 1156 services.exe 1156 services.exe 1156 services.exe 1156 services.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe Token: SeDebugPrivilege 1156 services.exe Token: SeDebugPrivilege 1552 services.exe Token: SeDebugPrivilege 1756 services.exe Token: SeDebugPrivilege 2796 services.exe Token: SeDebugPrivilege 272 services.exe Token: SeDebugPrivilege 2912 services.exe Token: SeDebugPrivilege 1260 services.exe Token: SeDebugPrivilege 1620 services.exe Token: SeDebugPrivilege 600 services.exe Token: SeDebugPrivilege 2860 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 1676 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 34 PID 2668 wrote to memory of 1676 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 34 PID 2668 wrote to memory of 1676 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 34 PID 1676 wrote to memory of 1580 1676 csc.exe 36 PID 1676 wrote to memory of 1580 1676 csc.exe 36 PID 1676 wrote to memory of 1580 1676 csc.exe 36 PID 2668 wrote to memory of 2292 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 52 PID 2668 wrote to memory of 2292 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 52 PID 2668 wrote to memory of 2292 2668 5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe 52 PID 2292 wrote to memory of 2120 2292 cmd.exe 54 PID 2292 wrote to memory of 2120 2292 cmd.exe 54 PID 2292 wrote to memory of 2120 2292 cmd.exe 54 PID 2292 wrote to memory of 1644 2292 cmd.exe 55 PID 2292 wrote to memory of 1644 2292 cmd.exe 55 PID 2292 wrote to memory of 1644 2292 cmd.exe 55 PID 2292 wrote to memory of 1156 2292 cmd.exe 56 PID 2292 wrote to memory of 1156 2292 cmd.exe 56 PID 2292 wrote to memory of 1156 2292 cmd.exe 56 PID 1156 wrote to memory of 2304 1156 services.exe 57 PID 1156 wrote to memory of 2304 1156 services.exe 57 PID 1156 wrote to memory of 2304 1156 services.exe 57 PID 2304 wrote to memory of 1732 2304 cmd.exe 59 PID 2304 wrote to memory of 1732 2304 cmd.exe 59 PID 2304 wrote to memory of 1732 2304 cmd.exe 59 PID 2304 wrote to memory of 1640 2304 cmd.exe 60 PID 2304 wrote to memory of 1640 2304 cmd.exe 60 PID 2304 wrote to memory of 1640 2304 cmd.exe 60 PID 2304 wrote to memory of 1552 2304 cmd.exe 61 PID 2304 wrote to memory of 1552 2304 cmd.exe 61 PID 2304 wrote to memory of 1552 2304 cmd.exe 61 PID 1552 wrote to memory of 2860 1552 services.exe 62 PID 1552 wrote to memory of 2860 1552 services.exe 62 PID 1552 wrote to memory of 2860 1552 services.exe 62 PID 2860 wrote to memory of 652 2860 cmd.exe 64 PID 2860 wrote to memory of 652 2860 cmd.exe 64 PID 2860 wrote to memory of 652 2860 cmd.exe 64 PID 2860 wrote to memory of 1244 2860 cmd.exe 65 PID 2860 wrote to memory of 1244 2860 cmd.exe 65 PID 2860 wrote to memory of 1244 2860 cmd.exe 65 PID 2860 wrote to memory of 1756 2860 cmd.exe 66 PID 2860 wrote to memory of 1756 2860 cmd.exe 66 PID 2860 wrote to memory of 1756 2860 cmd.exe 66 PID 1756 wrote to memory of 2424 1756 services.exe 67 PID 1756 wrote to memory of 2424 1756 services.exe 67 PID 1756 wrote to memory of 2424 1756 services.exe 67 PID 2424 wrote to memory of 1600 2424 cmd.exe 69 PID 2424 wrote to memory of 1600 2424 cmd.exe 69 PID 2424 wrote to memory of 1600 2424 cmd.exe 69 PID 2424 wrote to memory of 1608 2424 cmd.exe 70 PID 2424 wrote to memory of 1608 2424 cmd.exe 70 PID 2424 wrote to memory of 1608 2424 cmd.exe 70 PID 2424 wrote to memory of 2796 2424 cmd.exe 71 PID 2424 wrote to memory of 2796 2424 cmd.exe 71 PID 2424 wrote to memory of 2796 2424 cmd.exe 71 PID 2796 wrote to memory of 2604 2796 services.exe 72 PID 2796 wrote to memory of 2604 2796 services.exe 72 PID 2796 wrote to memory of 2604 2796 services.exe 72 PID 2604 wrote to memory of 2392 2604 cmd.exe 74 PID 2604 wrote to memory of 2392 2604 cmd.exe 74 PID 2604 wrote to memory of 2392 2604 cmd.exe 74 PID 2604 wrote to memory of 2800 2604 cmd.exe 75 PID 2604 wrote to memory of 2800 2604 cmd.exe 75 PID 2604 wrote to memory of 2800 2604 cmd.exe 75 PID 2604 wrote to memory of 272 2604 cmd.exe 76 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe"C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mn3xwpao\mn3xwpao.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B1.tmp" "c:\Windows\System32\CSC1175C02539E049A5A5E5181F551552D.TMP"3⤵PID:1580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UYUmGuClre.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2120
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1644
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1732
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:1640
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CbjDYjSaFp.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:652
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1244
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1608
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KjGpFKlenR.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2392
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2800
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mb6Aq3ZX7x.bat"12⤵PID:1060
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2400
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6jqn6DqxiC.bat"14⤵PID:2164
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1588
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2120
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAbXgo5nXx.bat"16⤵PID:2068
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2680
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1980
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat"18⤵PID:1156
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2332
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1664
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SPR0cWdHM6.bat"20⤵PID:2024
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:820
-
-
C:\Program Files\Windows Portable Devices\services.exe"C:\Program Files\Windows Portable Devices\services.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ye8GjO9RaC.bat"22⤵PID:1052
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2324
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e45487935085" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e45487935085" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\5af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ad09440875d20aadffdfdc8de043c448
SHA1fbfc7d94285b1da7e0799382a40352f827984771
SHA2565af44c8748dfd602affc88b52200f5c0f9c54065876a8de8dddb1e4548793508
SHA512e8d80aa2ec81b8b06b2a83e18674e19137b996f405dc4e6c93a3fcf76de0e949cbc333396a22141963043fd55ff9a8711eabd0963b933df58e4438f42706e8a3
-
Filesize
230B
MD5e3c6752d898ca2e26468b5c7df3877b7
SHA147ba562cf825ae5fb64f54c87b995976e4a4dad9
SHA2562783b007e610f56c5d69f178bf9bc0d86e37bebc633b78b40f727ae8f482c7f3
SHA5128e0e5c4117b4d68bf15e4f4baf3a574195e628bc73163682d96b72565391128bf548dd8d13fa1a04bae4b21ddada22aa31f018a6c862dea6d53bf9c6fdf1639a
-
Filesize
230B
MD557d94bba5d67ea673708f6b5cfe46db7
SHA14700f2e180e60338e8d3ffc91a91d93fbcb2e6d0
SHA2564bef6a8c70146dff7be380dbc670484c3cb6ae4d66b3c37476a4f68782c68970
SHA5127045d216d768971653fbe73a558ac69d3adaa631c6eec164be6509239f36dee39e1a69132d844bd2f22a8ff567721f3667f2ac3277c842f116e76a1f01b992ae
-
Filesize
182B
MD57295111e0bdcdc4fc4e035a0c032df38
SHA17fe1979755d7fcc9f279bb6b112743433c372030
SHA256eab05086e64aeb360da24093d93ca8b156c6755c99297d17ffb71f07e04513f5
SHA5128f0d8492e9679923a9e2e111eaf42d139dc8b80400a8c0f02d83197d0c5a70f1e077004815ac17ff7a82de583ea25106674e6b1e5c181cb6e8f6498f64dd7170
-
Filesize
182B
MD56a686893cacf867101e3726dd4aa5e27
SHA1aada161c8d4b5c468cb2f5887aa898da7f5a503d
SHA25624145339180986dfed97b1c3e5a2a9e897c328be7360a53ebec9aedcf09877af
SHA5120e19deef1056a5fa891e721130cd9cff2aba54147870ad12182a47e063f4effa56b4b7720942cdfa26ce8e35494194548ff8e44431f275dcc2ee0b796ec932f4
-
Filesize
182B
MD59bb216234c5c844b61a876400a9b0203
SHA1c8de901bd2a95374f85928232dd51f1d871e78fe
SHA256f19372a4a61629f29910e48eeb42181b1996ec8a255d7fdd3f008b7551ce798f
SHA512453d0fbb4c494e4e68e13421c5d401f528c9657823edce7b7384b913428d2a723fa666313ed4f05eb8ac631b11523d01ca7ac45445fed7700afc72ebd21199f4
-
Filesize
1KB
MD5caa5bda68c20d8a8095008d717209b39
SHA191e7ca82941abf5ba50ac84751a33c279077fbdc
SHA256dd3e7537ce37ce6b57b361212bb300fee3434971b6ec090382ffaa65d8a5ef3b
SHA512c40876fbf74888ab5f3ec1a3719aaac6894da9166cedaaf892edb0e963974b9f8855246ad0f4e2c3301fecc37990f20e977317dd9af1327604c47ba265a5dc2b
-
Filesize
182B
MD57c6b543dbbe29af918f1970cae43512b
SHA125aafb25e7baa12c95c985429b30fb3f29aa5899
SHA256f71ad03b777c360401a489aba9144ba54ccd9d3c0b8ba466adc3619e090d347a
SHA5126e567627eab3ed5aff902fe6c74f31a3587398c6b708f79b2262e21510406a978236ce4fc7ba0cc3b3f1f2b76605949b81780d0bdefe3807d014f118da8d3bc4
-
Filesize
182B
MD5dd46dfe7d69a1f191f85bc9b9b414de6
SHA168127be9fdd43e18e1fff6b2c05f31729937d506
SHA256b37fd75e326bda830e965109ba539dcd08b2fe1365711bec55954ea556e282d4
SHA5124d41abea578bf365cf364343d963890af943eaa87d4802a5bf9af300944d3850ef3a42784c238410bd65d10b761087e02f94eb23f9161b183a244cfabba75fc5
-
Filesize
230B
MD5a0d3588b5fa2315d1174bf5fcfeb5cf2
SHA1fed5004846c47bfc55ade12cb76f577ab5d5ac61
SHA2564b73376892074536d0f72623e86229ab27a6f30b038414a8aacc1034b5f818b2
SHA512a435f4f2df130d722e98addf324160d2493f5a824d082d3a1cc993462b6de01d5a57f9dbaba1a094ca63d8fa6df3e9f98c504c35233cd5306c7d105f6b74caf5
-
Filesize
182B
MD5c36b44adf6dce7c9ef0c55710e714c3d
SHA1eaac0c358db9e901b924239cfe7faebab8c28959
SHA256572e2387785345c2a97e13cb263e0712321833ce15892231b033605059c58712
SHA5128c1858ef31be10194b436902525ff6888f156dcee75153cb13293297c067e7aa5f7a31eb00d78e6a669363bd882e7b6e13090752127a1f8ac8d13d748395438c
-
Filesize
182B
MD57180a0a1956d043f0deab8b418845f8b
SHA15a9f11accfc3d3b7f642832b81af02d085ad58b1
SHA2568e0824dd670a1b2db7ac52d46ca4963f4ccdf0533604e83483838c960c7873d4
SHA5122e9a1e6f092db1ab58df038883c982df821c9cda850d65a373b2f20683b743fcdfd496d3676613ca6a471da545286efa8468da0e94686af696f59698d7d57403
-
Filesize
230B
MD586741f9eea37ce82dd0359c627cfa2b3
SHA10050a90230880766e7afcf912e615eee1ff79e4f
SHA256eb1883f52492d2c7cf0610f87f2883936e0d70bbca9b0a0a8d39ca3bfd9668f1
SHA51286715b471b4d8a1d0f16302f3df5d180cdc23598be9429e1e71ebbf5ea97550f08ee3e8591beb0c5041c09806d37d7824dabbd95cdbaa02bcc36e12cbfc8413f
-
Filesize
364B
MD56b7a7a86176cbc2d7b41879583664ddc
SHA1ac40b614695cc3b57d504f9b77dc8949c7be0b89
SHA256452abf82eae0d5ca5336885721ce4c96c7872e832f0c402f4fe7972e058c194e
SHA512c7bb0152eee06681e6093531d41c056583dd391da38ffa41c8bc186b6825fb98e75900dd0fe3b418f12271643b93d6751f1c4fc951bf347a3dd39eeffe29f190
-
Filesize
235B
MD586a1be0f325f219fb6b581975db62319
SHA14cd7a02cb3b8b58fcbc40771b74cb79480bfc02a
SHA2561c1728a8d6a38ecbf7be42b4cb897b99c0460dfe93313ea6f2a73deaeb7df83f
SHA51277c868cb4265fa8f94e1d9529a13f8c71af1ad655ac87fa3d437ee6059250b902fe76c3de4150202f113234d023052e5c8a09be2451751722d5042e0a40d91d7
-
Filesize
1KB
MD5dcd286f3a69cfd0292a8edbc946f8553
SHA14d347ac1e8c1d75fc139878f5646d3a0b083ef17
SHA25629e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596
SHA5124b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77