Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:43
Behavioral task
behavioral1
Sample
JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe
-
Size
1.3MB
-
MD5
42d93f60c0d6355dba66fa60fb0d74a3
-
SHA1
e9a8f4b9f39efdcbe1d64966e43da1ee69ad5b12
-
SHA256
6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927
-
SHA512
986548e4094b86f2bc9536c8bed300039672c812cef97cd33ff7522cc108cabf3fbdc6780dfc0c6b4db5c9cd1478296b5c373afe4b2682d9b7b604410e08c002
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3016 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 3016 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b66-10.dat dcrat behavioral2/memory/2080-13-0x00000000009F0000-0x0000000000B00000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2300 powershell.exe 408 powershell.exe 2192 powershell.exe 3172 powershell.exe 4476 powershell.exe 3516 powershell.exe -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe -
Executes dropped EXE 16 IoCs
pid Process 2080 DllCommonsvc.exe 2256 taskhostw.exe 4956 taskhostw.exe 448 taskhostw.exe 2988 taskhostw.exe 2460 taskhostw.exe 1476 taskhostw.exe 1524 taskhostw.exe 1992 taskhostw.exe 4852 taskhostw.exe 4264 taskhostw.exe 1768 taskhostw.exe 2692 taskhostw.exe 4000 taskhostw.exe 4376 taskhostw.exe 3584 taskhostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
flow ioc 19 raw.githubusercontent.com 41 raw.githubusercontent.com 42 raw.githubusercontent.com 54 raw.githubusercontent.com 38 raw.githubusercontent.com 52 raw.githubusercontent.com 55 raw.githubusercontent.com 20 raw.githubusercontent.com 51 raw.githubusercontent.com 53 raw.githubusercontent.com 44 raw.githubusercontent.com 50 raw.githubusercontent.com 22 raw.githubusercontent.com 36 raw.githubusercontent.com 37 raw.githubusercontent.com 43 raw.githubusercontent.com -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Prefetch\ReadyBoot\TextInputHost.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\22eafd247d37c3 DllCommonsvc.exe File created C:\Windows\PrintDialog\Assets\taskhostw.exe DllCommonsvc.exe File opened for modification C:\Windows\PrintDialog\Assets\taskhostw.exe DllCommonsvc.exe File created C:\Windows\PrintDialog\Assets\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Windows\ja-JP\dwm.exe DllCommonsvc.exe File created C:\Windows\ja-JP\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1944 schtasks.exe 1764 schtasks.exe 740 schtasks.exe 4536 schtasks.exe 4436 schtasks.exe 1656 schtasks.exe 2708 schtasks.exe 3796 schtasks.exe 2460 schtasks.exe 5076 schtasks.exe 3988 schtasks.exe 1892 schtasks.exe 4784 schtasks.exe 4588 schtasks.exe 1884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2080 DllCommonsvc.exe 2080 DllCommonsvc.exe 2080 DllCommonsvc.exe 3172 powershell.exe 3172 powershell.exe 3516 powershell.exe 4476 powershell.exe 408 powershell.exe 2300 powershell.exe 2192 powershell.exe 4476 powershell.exe 3516 powershell.exe 2300 powershell.exe 408 powershell.exe 2192 powershell.exe 2256 taskhostw.exe 4956 taskhostw.exe 448 taskhostw.exe 2988 taskhostw.exe 2460 taskhostw.exe 1476 taskhostw.exe 1524 taskhostw.exe 1992 taskhostw.exe 4852 taskhostw.exe 4264 taskhostw.exe 1768 taskhostw.exe 2692 taskhostw.exe 4000 taskhostw.exe 4376 taskhostw.exe 3584 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2080 DllCommonsvc.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 4476 powershell.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2256 taskhostw.exe Token: SeDebugPrivilege 4956 taskhostw.exe Token: SeDebugPrivilege 448 taskhostw.exe Token: SeDebugPrivilege 2988 taskhostw.exe Token: SeDebugPrivilege 2460 taskhostw.exe Token: SeDebugPrivilege 1476 taskhostw.exe Token: SeDebugPrivilege 1524 taskhostw.exe Token: SeDebugPrivilege 1992 taskhostw.exe Token: SeDebugPrivilege 4852 taskhostw.exe Token: SeDebugPrivilege 4264 taskhostw.exe Token: SeDebugPrivilege 1768 taskhostw.exe Token: SeDebugPrivilege 2692 taskhostw.exe Token: SeDebugPrivilege 4000 taskhostw.exe Token: SeDebugPrivilege 4376 taskhostw.exe Token: SeDebugPrivilege 3584 taskhostw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 3088 2584 JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe 83 PID 2584 wrote to memory of 3088 2584 JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe 83 PID 2584 wrote to memory of 3088 2584 JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe 83 PID 3088 wrote to memory of 1888 3088 WScript.exe 85 PID 3088 wrote to memory of 1888 3088 WScript.exe 85 PID 3088 wrote to memory of 1888 3088 WScript.exe 85 PID 1888 wrote to memory of 2080 1888 cmd.exe 87 PID 1888 wrote to memory of 2080 1888 cmd.exe 87 PID 2080 wrote to memory of 2300 2080 DllCommonsvc.exe 105 PID 2080 wrote to memory of 2300 2080 DllCommonsvc.exe 105 PID 2080 wrote to memory of 2192 2080 DllCommonsvc.exe 106 PID 2080 wrote to memory of 2192 2080 DllCommonsvc.exe 106 PID 2080 wrote to memory of 408 2080 DllCommonsvc.exe 107 PID 2080 wrote to memory of 408 2080 DllCommonsvc.exe 107 PID 2080 wrote to memory of 3172 2080 DllCommonsvc.exe 108 PID 2080 wrote to memory of 3172 2080 DllCommonsvc.exe 108 PID 2080 wrote to memory of 4476 2080 DllCommonsvc.exe 109 PID 2080 wrote to memory of 4476 2080 DllCommonsvc.exe 109 PID 2080 wrote to memory of 3516 2080 DllCommonsvc.exe 110 PID 2080 wrote to memory of 3516 2080 DllCommonsvc.exe 110 PID 2080 wrote to memory of 1484 2080 DllCommonsvc.exe 117 PID 2080 wrote to memory of 1484 2080 DllCommonsvc.exe 117 PID 1484 wrote to memory of 2584 1484 cmd.exe 119 PID 1484 wrote to memory of 2584 1484 cmd.exe 119 PID 1484 wrote to memory of 2256 1484 cmd.exe 124 PID 1484 wrote to memory of 2256 1484 cmd.exe 124 PID 2256 wrote to memory of 3052 2256 taskhostw.exe 132 PID 2256 wrote to memory of 3052 2256 taskhostw.exe 132 PID 3052 wrote to memory of 1648 3052 cmd.exe 134 PID 3052 wrote to memory of 1648 3052 cmd.exe 134 PID 3052 wrote to memory of 4956 3052 cmd.exe 136 PID 3052 wrote to memory of 4956 3052 cmd.exe 136 PID 4956 wrote to memory of 1912 4956 taskhostw.exe 138 PID 4956 wrote to memory of 1912 4956 taskhostw.exe 138 PID 1912 wrote to memory of 3208 1912 cmd.exe 140 PID 1912 wrote to memory of 3208 1912 cmd.exe 140 PID 1912 wrote to memory of 448 1912 cmd.exe 145 PID 1912 wrote to memory of 448 1912 cmd.exe 145 PID 448 wrote to memory of 4848 448 taskhostw.exe 147 PID 448 wrote to memory of 4848 448 taskhostw.exe 147 PID 4848 wrote to memory of 4628 4848 cmd.exe 149 PID 4848 wrote to memory of 4628 4848 cmd.exe 149 PID 4848 wrote to memory of 2988 4848 cmd.exe 151 PID 4848 wrote to memory of 2988 4848 cmd.exe 151 PID 2988 wrote to memory of 4788 2988 taskhostw.exe 153 PID 2988 wrote to memory of 4788 2988 taskhostw.exe 153 PID 4788 wrote to memory of 1444 4788 cmd.exe 155 PID 4788 wrote to memory of 1444 4788 cmd.exe 155 PID 4788 wrote to memory of 2460 4788 cmd.exe 157 PID 4788 wrote to memory of 2460 4788 cmd.exe 157 PID 2460 wrote to memory of 2416 2460 taskhostw.exe 159 PID 2460 wrote to memory of 2416 2460 taskhostw.exe 159 PID 2416 wrote to memory of 5040 2416 cmd.exe 161 PID 2416 wrote to memory of 5040 2416 cmd.exe 161 PID 2416 wrote to memory of 1476 2416 cmd.exe 163 PID 2416 wrote to memory of 1476 2416 cmd.exe 163 PID 1476 wrote to memory of 4888 1476 taskhostw.exe 165 PID 1476 wrote to memory of 4888 1476 taskhostw.exe 165 PID 4888 wrote to memory of 3476 4888 cmd.exe 167 PID 4888 wrote to memory of 3476 4888 cmd.exe 167 PID 4888 wrote to memory of 1524 4888 cmd.exe 169 PID 4888 wrote to memory of 1524 4888 cmd.exe 169 PID 1524 wrote to memory of 2916 1524 taskhostw.exe 171 PID 1524 wrote to memory of 2916 1524 taskhostw.exe 171 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\Assets\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EbVxSN2hCq.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2584
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1648
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3208
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4628
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1444
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:5040
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3476
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"19⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4692
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"21⤵PID:3212
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4128
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"23⤵PID:4780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3480
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"25⤵PID:1088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:5100
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"27⤵PID:4028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:5060
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"29⤵PID:4304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:2172
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"31⤵PID:4692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:2448
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"33⤵PID:3020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:234⤵PID:2312
-
-
C:\Windows\PrintDialog\Assets\taskhostw.exe"C:\Windows\PrintDialog\Assets\taskhostw.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"35⤵PID:3224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:236⤵PID:4340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\Assets\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\Assets\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
208B
MD5adf4c8f91a42b44680356ef3473a69c8
SHA18ec72fc04a72a8343071be93849b6519f8326a3e
SHA256e5156a91589365976a776a36e3f99099654468dda21f6963c39d8076fbfd114e
SHA512c4ab9cc9462fe0e785d6213860f86a773b758cbde69ba2eff5e9aa845dc9e28b40e9f80aeeea10047f1c3e4be2d70408ba6cfde95e7f54c6d43a81fbe1d0fc1f
-
Filesize
208B
MD5031ad7379e0bcbfef52b75c48c025d93
SHA13ac3908214520c5d30142c79d6a441bd1b3d7884
SHA2562d6177d29eb18ddcebf57db34b87136b47b2e618f4ae36f2bb57139699155356
SHA5126529c98b0f7495382f9e4d197e513f59f817c286fe5631e6c33e8d57557d70f9707bed97e0866bbc514829e90822b419ea8d1d981cddee6640e5bfea1d682f67
-
Filesize
208B
MD5b0a0daad34af265ca8e56cd0c25f346e
SHA189c68a3b15e4cca97d7532d02df41e07efedb134
SHA25611a9b5c563c3a4160bb29c2583430a1438a248aa33c5f68ffc4627fb3520cb67
SHA512d64150b002a76f25fb805d09ad79047accd60cc014be452e1aabb3f79820cd2e9537cca47a2ec86aaa4e701acacfcdf3a8f53b27b114ed355b2408f53e761d1f
-
Filesize
208B
MD514e49c4071ce8ccda79c4a2c4f30e4e6
SHA14e6bca4af265dca62347d967466155837ef9877c
SHA25612c4c348c4d31e3e4861f134b8cd0b555f7f385d7aac28675de0880dc1273741
SHA5126c5a65f4f22374290249070a5fb744aad39d8b1d853f59df93fe9f7fbb6fbee1413b7012d33d4c64a4fc51485b0a4b2951648f3f2634f301346b451bd2c477e7
-
Filesize
208B
MD59113234a9122286fda48f02604d18b75
SHA1c43aa47dc7897928748079184b29984601b9e99e
SHA256e2f21ac061ca8ed91a8f87120ceb7cc6360c6a7fa8c22494c37acbc2dda4ebda
SHA5121f1a6802fa654923f4d9309d0b0bb9f3bc8bde7ca52571e99836c305e1b59db2029e9974465305aa9cdf717b8a1456edad3b78ec49cb3df576f02095395922f2
-
Filesize
208B
MD545ea5b015190081b3626c05a46d7c089
SHA194dba8b6b56e64c3ef5a6a3001a33d4d5b3794e6
SHA256918f53c2d790e42eadedf15373d0b2f77c7ec77014da29bca8b65393e3f77564
SHA51237f36c806b4c9b9e8d3a204ef68c0fb30d8097a2a6449c0513cc3f2bf6a9b27d88157d9d507a3e35bc9a9c2868c414d8411ec7fd25b2ee8350f601a7386eb80c
-
Filesize
208B
MD592e168114a157209bd4e8f4eae2ef3c7
SHA1ea51f4c5bcd14672e00d9ead2776dadbf1cb73cd
SHA256f8755520a3471c6faa26ea67f709af69ecf5d18122c7a1b9d81e5e873c911399
SHA512fb07b8260348d660e1e4087192113cd06b4912601bd7afbcde4c308ed871e82a5ee662593b1b064d8ec45732e27c071e3262ae8c47e92b15b7772f998af8eb5d
-
Filesize
208B
MD5a169c01ff01f2b8126de6ba81d2103aa
SHA1f7ba97858c985e750c44521f3132fbdfe00a50dc
SHA2566389528c0fa5bd614dc1f1b38bbe43131cedbde83c2feb06b3c0815320fa84e8
SHA512ed138ca53d605bfed1eb7b20141d0351728fcecbcd32f2f78a948156d6e54159c1d87ba547ec4c8dc3c20ca8e73770402b34a2a4cf565379a7b0b9618462ddd2
-
Filesize
208B
MD5e48132b8a168998a27c8771dcd8eb284
SHA1cb1ab8900a24073b2bc0c275a00fb3137c1c187c
SHA256c67c197e625e87049bd9e043aebe00e6572a6da436a88b7ee047f0f3e9471b36
SHA51213172964bc0efa4278e9fdf93a9f44b59b511bafe05aca680fb94106b4eb97ffa3459a7cc7702c6dd1dfb63e417a801581a89c42487c61478e74a6a18fd045db
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
208B
MD5c2ca3e7d9677a772c8a4bcad7a4dc4ef
SHA18397e2cc352bb3274d8ff67f9a29c0893248bed3
SHA256e4077d5802d97da9d22cc914b593facf0a249832bda802c901eaf0f64b659d93
SHA5122913a4f6186cd4daa1ce8d5faf24af9347a81653b0b1d0f183a6731dacf335b6606cb8718b459fdddc9ed8ed52fbc616fe57c7b8731ba43122752d65009b0765
-
Filesize
208B
MD59560519ccf60c752eb39706cdc068460
SHA1250bb3a542257db3fc64b6f8732ab8c8fa4e54b1
SHA256660d84a26fe7ddb858ff730ed3ec516cae2d8c3764f10993f190a5d9fa32bc6d
SHA5124a4ee9df36f1d99977059a9c8fcc6413873795556b1bcb1b3bfe73f072038f2cc1aa1c0f7783295a495bf4a2e43674faa1454a75e368d81a2fed1332fac7e159
-
Filesize
208B
MD521b3948d5859659919e1ee9d45006b34
SHA131f5ed5f7bb1119bb5f8f64a633b3efb48717b2d
SHA256e43a112b5469a5c9bd9f2029fee1e4ad2ce1df4c8fa91b941e5209759cf33344
SHA5125bf3899fc6a4767ead1601d0ecbb65abef9f645fd61fc1b66d2a8289ab636b29eb064b89a6c73dd987b8f9447fa13dfde7511991c527edf9f71ec5c305cb5640
-
Filesize
208B
MD54bbe80b4d3fec31309496736f034558c
SHA1cc77a34679afb27ba7952ebe3bbafbce3940ac25
SHA2569ec341db4e6b18270a63fb35bacfd002cffe2cc2506efa41b34ff84ee45e3713
SHA512fad4960fe54dd7da9796626fa2f5cef1e67c4d16c1bedc5819e6b082eeeb65324bf7878998341e3c47287183f00a2f0429444970b46ce7f06dcacbc1bac5337e
-
Filesize
208B
MD5d1379495e0001cf6b0c07f896901f8ae
SHA1aefed7fc4f27333dd8625a9edf8260fb8f761ea6
SHA2561f419cc98ac1f297fcf31f5b2380e91823f97eb240bcf335177b9897587e3979
SHA512b7d99f0aa8b951487cbae5325276cce97ba326d67d4b985aae9a2bfb00b9a7abe8667a53a057d94f250dadb5c6c7c9d23d2f94243135db9350156d2fe958a2bb
-
Filesize
208B
MD544b67c431df465d714770e9ca63b32c1
SHA12bcdaeaf24e3aa6e5b374613d7c8b990993a46ed
SHA2562a4486241554927c31c7932ca740d5af0bf76f6361002c9141eac2fd290d42ce
SHA51220bd068873acf44e47138a05ef20be22e13ccc69060ce3a0f6630b042dad9e5017daf3867bb42964068202fb1508b63b197a6645718de380fddbea4f25ce4219
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478